More IT Grief: Office Exploit Broadly Released

Code that can exploit a Rich Text Format flaw in Microsoft Office has been published, according to a Microsoft announcement late last month.

The good news is that IT pros who applied Microsoft November patch for this exploit have addressed that RTF vulnerability in Office. However, those behind on completing their patching tasks may need to find the time, especially with the general availability of the attack code. The Office flaw just adds to IT woes. Microsoft also recently issued a security advisory concerning a Windows graphics rendering engine flaw. Additionally, there's a Microsoft security advisory released on Internet Explorer, plus Microsoft is investigating a proof-of-concept flaw in Internet Information Services FTP 7.5.

Microsoft released a patch for the Office RTF vulnerability, known as CVE-2010-3333, in November, and no widespread outbreaks of exploits have yet been reported. The public availability of an exploit lowers the bar for attackers, however, and increases the urgency for seeing that affected software is patched.

"Hopefully, everybody is adhering to best practices and patching as soon as possible," said Joshua Talbot, security intelligence manager for Symantec Security Response. "If people haven't made this a priority, now would be a good time."

The RTF Stack Buffer Overflow Vulnerability affects Microsoft Office XP and Office 2003 Service Pack 3, Office 2007 SP2, as well as Office 2010 32-bit and 64-bit editions. Microsoft described the vulnerability and released a patch for it in its November security bulletin. A flaw in the way Office software processes RTF data can allow an attacker to take control of the victim's computer to install programs; view, change, or delete data; or create new accounts with full user rights.

The vulnerability was rated important or critical, depending on the platform.

"We predicted at the time that it would become a target of attackers," Talbot said. "Since then we've seen a number of attacks in the wild, but no widespread exploitation."

But with the public availability of attack code, that could change. "The main concern is that the exploit is available so that less-skilled attackers can use it," Talbot said.

Microsoft's Malware Protection Center Blog reported on Dec. 29 that a sample of a successful exploit for this vulnerability able to execute malicious shellcode that downloads other malware had been found a few days before Christmas.

"The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one," Microsoft reported in its MMPC blog. "The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack."

In addition to patching affected software, Microsoft recommended using Office File Block to block opening RTF documents from unknown or untrusted sources.

Because the vulnerability exists in Office software, Microsoft Outlook also could be used as a vector for delivering attacks by sending an RTF message by e-mail and having it open automatically in the Outlook preview pane. The current exploit uses only RTF Word documents, however, which could reduce the danger because it would require the recipient to open the document rather than having this happen automatically.

Microsoft advises reading e-mails only in plain text formats as a workaround. Users of Outlook 2002 who have applied Office XP Service Pack 1 or a later version can require that messages that are not digitally signed or encrypted be read only as plain text.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.