The tech giant warned about new unpatched software vulnerability affecting almost all Windows computers. The flaw looks very similar to the one used in recent hacker attacks on the Ukrainian government. Now it is being used against Taiwanese targets: the attackers create malicious PowerPoint documents which launch exploit code on target machines when opened. The security experts admit the hackers could have used any Office file, but for some reason those chose PowerPoint.

Cyber intelligence experts warned that another (though similar) flaw was being used in so-called “Sandworm” attacks against Ukraine, the European Union, Nato, French telecom companies and even Polish energy suppliers. In previous cases, Russian hackers were suspected of intrusions.

Security companies believe that the two vulnerabilities are linked and have been exploited in the same way. While investigating the patch for the first flaw, the researchers found out that the fix wasn’t working and the vulnerability could still be exploited. However, there is no evidence that the recent flaw was being used by the same Sandworm hacker crew. The security firm’s sensors had detected an activity indicating the zero-day vulnerability was being used to attack people in Taiwan. They came to a conclusion that the Microsoft’s patch for the Sandworm flaw didn’t work properly and the new vulnerability exploits that.

The researchers have seen a number of samples, one of which probably targeted Taiwan and delivered the Taidoor malware. This type of activity has been attributed to Chinese cyber espionage in the past.

3 Google and 2 McAfee researchers were credited with disclosing the latest flaw to Microsoft. It turned out that the vulnerability targets all supported versions of Windows except Windows Server 2003, originating from a technology called an Object Linking and Embedding (OLE) object – this one is used to share data between several applications. For example, in Microsoft Office this technology is used when parts of a file appear within another file, like when an Excel chart is included in a Word document.

When the victim opens a malicious document, usually received via email, they risked handing over control of their machine to the attackers. The experts point out that this vulnerability can’t directly grant an attacker administrator-level access, but would allow them the same permissions as the victim. Advanced users will notice the “User Access Control” popup that requires consent when a malicious file is opened. In the meantime, Microsoft didn’t disclose when it was going to release a patch for the bug, but the company has included a fix-it solution in its advisory.

So, for now, Internet users are recommended to be careful about opening Office documents received via email, social media or instant messengers from unknown parties. Everyone is also reminded of links from untrusted sources, because those may be used to launch a malicious Office document from the hacker’s website.