The vulnerability is a risk to users on servers and workstations that open documents with embedded OLE objects.
It is currently being exploited via PowerPoint files as some companies are still trying to use these in meetings to bore staff to death without actually helping the company develop.
Apparently these specially crafted files contain a malicious OLE (Object Linking and Embedding) object which can be exploited by cybercriminals. What makes this nasty is that the vulnerability affects the latest fully patched versions of Windows.
Microsoft points out that users have to be involved in the email attack scenario.
For this attack to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.
The attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability.
“In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.”
A successful exploitation could lead to the attacker gaining same user rights as the current user, and if that means administrative user rights, the attacker can install programs; access, modify, or delete data; or create new accounts with full user rights.
The vulnerability affects all supported Windows versions, and there is currently no patch for it. Microsoft is still investigating the matter and deciding whether they will issue an out-of-band patch or wait for the next Patch Tuesday to plug the hole.
Otherwise, do not open Microsoft PowerPoint files, Office files, or any other files received or downloaded from untrusted sources.