March 24, 2014

Microsoft warned today that attackers are exploiting a previously unknown security hole in Microsoft Word that can be used to foist malicious code if users open a specially crafted text file, or merely preview the message in Microsoft Outlook.

In a notice published today, Microsoft advised:

“Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

To be clear, Microsoft said the exploits it has seen so far attacking this vulnerability have targeted Word 2010 users, but according to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.

Microsoft says it’s working on an official fix for the flaw, but that in the meantime affected users can apply a special Fix-It solution that disables the opening of RTF content in Microsoft Word. Microsoft notes that the vulnerability could be exploited via Outlook only when using Microsoft Word as the email viewer, but by default Word is the email reader in Microsoft Outlook 2007, Outlook 2010 and Outlook 2013.

One way to harden your email client is to render emails in plain text. For more information on how to do that with Microsoft Outlook 2003, 2007, 2010 and 2013, see these two articles.


89 thoughts on “Microsoft: 0Day Exploit Targeting Word, Outlook

  1. e

    Brian, thank you for posting these warnings. A suggestion: it would help if in each of these postings you could indicate whether each problem affects users NOT running as Admins. For example, according to Steve Gibson, this particular problem can be completely avoided as long as you are not running as an Admin even if you dont perform all the other steps you recommend. This would save people like me alot of worry.

    1. AReader

      E, this 0 day acquires the user rights of the user that runs or views the RTF file that contains the exploit. Therefore it is NOT “completely avoided” as Mr. Gibson states. The attacker would gain the rights of the user that opened or previewed the RTF file. Not being in the administrators group helps but doesn’t remove the threat. For example, Cryptolocker runs as a normal user and does not need admin rights. For further information see Microsoft’s Security Advisory 2953095

      1. e

        Thanks I understand about Cryptolocker so I run the Cryptoprevent Tool for that one. But what exactly happens with this one if you arent running as an admin?

  2. Cameron

    anyone want to elaborate on how this 0-day works on a technical level?

  3. iguess

    @ Cameron

    …two words …”buffer overflow”

  4. Reader X

    Blessed are the volume licensed, for they shall be able to use GPO until the patch.

    http://technet.microsoft.com/en-us/library/cc179176.aspx

    “Using Group Policy to manage Office 2013 is supported only in Office 365 ProPlus, in volume licensed versions of Office 2013, and in individual Office 2013 applications that are sold through retail stores or through volume licensing.”

  5. coakl

    MS updated the advisory yesterday: WordPad is not affected.
    Thus, switch the default viewer for RTF from MS Word to WordPad.
    On Win XP, this is done in Windows Explorer, Tools menu, Folder Options. You need administrative rights.
    On Win 7, go to the Control Panel >> Default Programs >>Associate file. Admin rights not needed.

  6. Novista

    What to make of this? Yesterday, I noticed an ‘anomaly’ on an rtf file on the desktop of a Win7 laptop.

    Any icon after that was inaccessible, all before responded to the cursor and click. Also, IE was open on a web page but that window was inaccessible, would not respond nor close.

    The rtf file itself was written in WordPad, I don’t even have email initiated on this new machine, and not using the ‘limited’ Office suite anyway.

    I deleted the rtf file via the file explorer, it vanished and the IE window was back to normal. Weird.

  7. Paul

    For those worried about Office 2003 support ending try LibreOffice or OpenOffice.
    Time to check out the free, safe, secure & feature-packed LibreOffice. Its truly multi-platform & takes just a few minutes to install.

    Try it now you have so much to gain: http://www.libreoffice.org/download

    I think Thunderbird is safe as well.

  8. Christian

    This is a big flaw and I hope it gets fixed, but security policy is the big thing here. Don’t download a file you do not trust or download from an email/website you do not trust. As AVs and patching may block or fix things, common sense is the best defense.

Comments are closed.