Russia-linked APT28 attackers already abusing new Microsoft Office zero-day

Monday 2nd February 2026 21:09 GMT Anonymous Coward

Carry-on regardless

To the russian attackers, please continue and don't stop until they discontinue this pile of crap

5 7 Reply
1. Tuesday 3rd February 2026 00:22 GMT Eric 9001
  
  Re: Carry-on regardless
  
  Why would microsoft ever discontinue such a cash cow?
  
  Microsoft wouldn't discontinue it even if every last instance was persistently exploited (oh wait, that's the whole idea of proprietary software - the developer exploits every last user).
  
  Interestingly the exploit doesn't seem applicable if you just used libreoffice, moreso if run on GNU/Linux.
  
  9 2 Reply
  1. Wednesday 4th February 2026 07:47 GMT Fred Daggy
    
    Re: Carry-on regardless
    
    To mangle Galbraith : "Under capitalism, vendor exploits user. Under communism, its just the same, hacker exploits user."
    
    0 0 Reply
2. Tuesday 3rd February 2026 07:46 GMT werdsmith
  
  Re: Carry-on regardless
  
  If Office and MS were to disappear from the desktop, whatever replaces it will become the focus of attacks and exploits. Be thankful that it is there
  
  As a diversionary shield to protect your Sanctimonious-ware.
  
  5 6 Reply
  1. Tuesday 3rd February 2026 09:05 GMT MacroRodent
    
    Re: Carry-on regardless
    
    The proper answer is diversity. This is why in biology, no virus manages to destroy all individuals of a species. To promote this, governements at least should use only open standard document formats, and these must be enforced: Like if a word processor (from whatever vendor or open-source project) messes the layout in an extensive test suite, it shall not be used. There are standards for items like paper sizes and even the properties of ball-point pen ink, so why not word processors?
    
    7 0 Reply
3. Tuesday 3rd February 2026 09:54 GMT stungebag
  
  Re: Carry-on regardless
  
  Yes, I'm sure LibreOffice is sufficiently bulletproof to resist hacking attempts by a very powerful rogue state.
  
  0 2 Reply
  1. Tuesday 3rd February 2026 12:01 GMT david 12
    
    Re: Carry-on regardless
    
    LO has ~very little~ protection against typical .doc malware, such as document-event driven macros.
    
    0 1 Reply
    1. Wednesday 4th February 2026 02:16 GMT Eric 9001
      
      Re: Carry-on regardless
      
      LO doesn't run macro's by default - it asks to run, which happens to be quite good at preventing macro attacks (it's clear that a document almost always should not use a macro).
      
      0 0 Reply
Tuesday 3rd February 2026 05:48 GMT Anonymous Coward

So...

Are Windows 10 systems able to patch themselves? They represent what, half the systems out there? Seems Microsoft should patch them too, since it's Office not Windows that contains the flaw.

2 0 Reply
1. Tuesday 3rd February 2026 06:57 GMT Eric 9001
  
  Re: So...
  
  Yes, there is a remote backdoor in windows 10 that allows microsoft to make whatever arbitrary changes remotely (the auto-update feature).
  
  Although the exploit is carried out against office, a flaw in windows allows for attacker persistence - it's up to microsoft to choose whether to fix that flaw in windows 10 and choose if to roll out the patch to only "extended-support" systems or all systems.
  
  4 0 Reply
2. Tuesday 3rd February 2026 13:37 GMT Roland6
  
  Re: So...
  
  Currently running Office 2019 on W10 (both x64 versions) on a couple of laptops.
  
  Whilst I had update other Microsoft products in Windows Update and within Office it was set to automatically update, I had to manually (in Office) click on the update now to get it to go and fetch and install the security update “now”; I suspect if I had waited a month the automatic update scheduler would have got around to applying the update.
  
  0 0 Reply
Tuesday 3rd February 2026 12:38 GMT david 12

Mitigation

The mitigation offered blocked the specific malware -- it blocked use of the legacy IE engine used by the script.

It ~appears~ to me that the bug is that you can avoid a authorization step by moving between 64bit Application and 32bit com object, but I may have misunderstood that.

0 0 Reply