Microsoft Issues Emergency Fix it for Exploited 0-day Vulnerability in Word

Microsoft Issues Emergency Fix it for Exploited 0-day Vulnerability in Word
Microsoft Issues Emergency Fix it for Exploited 0-day Vulnerability in Word

The known attacks are all currently directed at MS Word 2010, but the vulnerability also affects Word 2007 and 2013 and is present on both PC and Mac versions. "The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer," explains the advisory.

The fault lies in the file format parser for RTF, explains Wolfgang Kandek, CTO at Qualys. "The attack vector is a document in RTF format that the victim would have to open with Word. If the target uses Outlook 2007, 2010 or 2013 for e-mail, please be aware that Word is the default viewer for e-mails, and that even looking at the e-mail in the preview pane could lead to an infection through this attack," he warns.

If successfully exploited the flaw can give the attacker the same rights as that of the user. Many companies and almost all consumers operate at 'administrator' level – which means that the attacker could take full control of the victim computer.

There are numerous mitigations that could be used to alleviate the problem, and Microsoft has provided an extensive analysis of the problem in a separate Technet blog. The simplest solution is to disable RTF as a supported file format within Microsoft Office. This, however, is not always possible for consumers, nor easy for the way that companies operate. Applying the Fix it is the best quick fix.

Microsoft is currently investigating the vulnerability (reported to them by the Google Security Team), and says it "will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

If a patch can be prepared in time for next month's Patch Tuesday, it is likely to see it issued then. However, since the flaw is now known and affects other versions than the targeted Word 2010, it is likely that other cybercriminals are looking for and working on their own exploits. If more widespread attacks are detected, Microsoft might decide to issue an out-of-band patch as soon as it is available.

What’s Hot on Infosecurity Magazine?