Microsoft Issues Emergency Fix it for Exploited 0-day Vulnerability in Word


Related Links

Related Stories

  • The Pressures Facing IT Security Pros
    Companies employ security professionals to defend their networks. They are pitted against equally professional and particularly talented attackers using 0-day weapons the defenders have never seen before. Judging by the number of breaches occurring almost daily, the attackers appear to be in the ascendant. Now a new report seeks to uncover the pressures affecting our defenders in their daily work.
  • Microsoft, Adobe Release Emergency 0-Day Fixes
    For the second time in a month Adobe has released an out-of-band emergency fix for a Flash vulnerability. Meanwhile, Microsoft has published a Fix it for a vulnerability affecting IE 9 and 10. In both cases the vulnerabilities are already being exploited in hacking campaigns uncovered by FireEye.
  • New IE 0-Day Used in Watering Hole Attack
    A new Internet Explorer 0-day exploit, apparently used by an old hacking group, was found to have been served by the compromised Veterans of Foreign Wars website. Similarities in the attack suggest the same group as that involved in operations DeputyDog and Ephemeral Hydra were behind the attack. That group is thought to emanate from China.
  • Microsoft Issues Warning on XP/Server 2003 0-Day
    Microsoft has issued a security advisory describing a new 0-day vulnerability in the XP/Server 2003 kernel that is actively being exploited in the wild. Newer versions of Windows are not affected.
  • New Microsoft 0-Day in Use by Two Distinct Hacking Groups
    The new vulnerability announced earlier this week, which is exploited against a Tiff parsing problem in Windows, is already in use by two different groups: Hangover and Arx. Both seem to be based in India.

Top 5 Stories


Microsoft Issues Emergency Fix it for Exploited 0-day Vulnerability in Word

25 March 2014

Microsoft yesterday issued an advisory and Fix it for a vulnerability in Word that is already being exploited in 'limited, targeted attacks.' Fix its provide a quick temporary defense while the company prepares a full patch. "We encourage all customers using Microsoft Word to apply this Fix it to help protect their systems," warns Microsoft.

The known attacks are all currently directed at MS Word 2010, but the vulnerability also affects Word 2007 and 2013 and is present on both PC and Mac versions. "The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer," explains the advisory.

The fault lies in the file format parser for RTF, explains Wolfgang Kandek, CTO at Qualys. "The attack vector is a document in RTF format that the victim would have to open with Word. If the target uses Outlook 2007, 2010 or 2013 for e-mail, please be aware that Word is the default viewer for e-mails, and that even looking at the e-mail in the preview pane could lead to an infection through this attack," he warns.

If successfully exploited the flaw can give the attacker the same rights as that of the user. Many companies and almost all consumers operate at 'administrator' level – which means that the attacker could take full control of the victim computer.

There are numerous mitigations that could be used to alleviate the problem, and Microsoft has provided an extensive analysis of the problem in a separate Technet blog. The simplest solution is to disable RTF as a supported file format within Microsoft Office. This, however, is not always possible for consumers, nor easy for the way that companies operate. Applying the Fix it is the best quick fix.

Microsoft is currently investigating the vulnerability (reported to them by the Google Security Team), and says it "will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

If a patch can be prepared in time for next month's Patch Tuesday, it is likely to see it issued then. However, since the flaw is now known and affects other versions than the targeted Word 2010, it is likely that other cybercriminals are looking for and working on their own exploits. If more widespread attacks are detected, Microsoft might decide to issue an out-of-band patch as soon as it is available.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×