Security Advisor

Microsoft Warns of Office RTF 0-Day Attacks

It's recommended that IT disable Rich Text Files from being opened through Microsoft Office.

Microsoft said it is aware of an unpatched vulnerability that is being used in limited attacks against those using Microsoft Word.

The company issued Security Advisory 2953095 on Monday to advise the public on the remote code execution (RCE) flaw that can be leveraged if a malicious Rich Text File (RTF) is either opened in Office 2010 or previewed in Outlook with Word as the designated preview viewer.

Affected versions include Word 2003, 2007, 2010, Office for Mac 2011, Office Web Apps 2010 and Office Web Apps Server 2013. However, Microsoft said the active attacks have only targeted those systems running Word 2010.

The attacks could either come in the form of a harmful e-mail attachment or a Web-based attack in which a malicious RTF file is hosted and downloaded by a user. While Microsoft didn't detail the method actively being used in the wild, it's currently looking into the matter.

"On completion of investigation for this vulnerability, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," wrote Microsoft.

The vulnerability was first privately disclosed to Microsoft by Drew Hintz, Shane Huntley and Matty Pellegrino of the Google Security Team on Jan. 31.

As Microsoft continues to work on a solution to the zero-day attack vulnerability, either by releasing an out-of-band patch or including it in an upcoming monthly security update, the company detailed a stop-gap in the form of a "fix-it" solution that will disable opening RTF content in Word. It's recommended that network admins either manually disable RTF document viewing or run the fix-it solution, which will automatically disable opening of the file type.

Also, attacks through this flaw can be avoided by those using Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  Further, Microsoft recommends making sure all affected software is up to date, firewalls properly configured and antimalware software is installed.

About the Author

Chris Paoli is the site producer for and


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.