Security Advisor

Microsoft Warns of Office RTF 0-Day Attacks

It's recommended that IT disable Rich Text Files from being opened through Microsoft Office.

Microsoft said it is aware of an unpatched vulnerability that is being used in limited attacks against those using Microsoft Word.

The company issued Security Advisory 2953095 on Monday to advise the public on the remote code execution (RCE) flaw that can be leveraged if a malicious Rich Text File (RTF) is either opened in Office 2010 or previewed in Outlook with Word as the designated preview viewer.

Affected versions include Word 2003, 2007, 2010, Office for Mac 2011, Office Web Apps 2010 and Office Web Apps Server 2013. However, Microsoft said the active attacks have only targeted those systems running Word 2010.

The attacks could either come in the form of a harmful e-mail attachment or a Web-based attack in which a malicious RTF file is hosted and downloaded by a user. While Microsoft didn't detail the method actively being used in the wild, it's currently looking into the matter.

"On completion of investigation for this vulnerability, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," wrote Microsoft.

The vulnerability was first privately disclosed to Microsoft by Drew Hintz, Shane Huntley and Matty Pellegrino of the Google Security Team on Jan. 31.

As Microsoft continues to work on a solution to the zero-day attack vulnerability, either by releasing an out-of-band patch or including it in an upcoming monthly security update, the company detailed a stop-gap in the form of a "fix-it" solution that will disable opening RTF content in Word. It's recommended that network admins either manually disable RTF document viewing or run the fix-it solution, which will automatically disable opening of the file type.

Also, attacks through this flaw can be avoided by those using Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  Further, Microsoft recommends making sure all affected software is up to date, firewalls properly configured and antimalware software is installed.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube