Microsoft warns Word users of ongoing attacks exploiting unpatched bug

Biggest worry, says expert, is that exploits are triggered just by previewing malicious messages in Outlook 2007, 2010, and 2013

Microsoft on Monday warned users of Word 2010 that in-the-wild attacks are exploiting an unpatched vulnerability in the software. The company also published an automated tool to protect customers until it issues a patch.

"An attacker could cause remote code execution if someone was convinced to open a specially-crafted Rich Text Format (RTF) file or a specially-crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer," said Dustin Childs, group manager and spokesman for Microsoft's Trustworthy Computing group in a blog.

[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

According to the security bulletin Microsoft issued Monday, three members of Google's security team reported the Word vulnerability to Microsoft.

The bug is in Word's parsing of RTF files, which are often used to exchange documents when all users are not using Microsoft Word. Although the attacks seen so far by Microsoft have been aimed at Word 2010, the bulletin noted that the affected software also includes Word 2003, Word 2007, Word 2013 and Word 2013 RT, the version especially crafted for Microsoft's Windows RT tablet operating system.

Office for Mac 2011's version of Word is also vulnerable.

Because Word is the default editor for Outlook 2007, Outlook 2010 and Outlook 2013 on Windows, attackers can trigger the vulnerability simply by getting potential victims to open or even just preview a malformed message. Microsoft also said that cyber criminals could conduct "drive-by" attacks -- the term for exploits triggered when a user browses to a malicious page -- that leverage the vulnerability in RTF parsing.

"I think the key attack surface here is going to be Outlook since Word is the default reader for email in [Outlook] 2007, 2010 and 2013," said Andrew Storms, director of DevOps at security firm CloudPassage. "It's much more likely, and easier, to email someone an RTF [document] than convince them to go to a website."

Microsoft last patched an RTF-related flaw in Word in December 2012.

As it sometimes does when it issues an advisory, Microsoft also offered up a "Fix it" tool that prevents Word from opening RTF files. The Fix It can be found on Microsoft's support site.

Customers need only click the icon on the left, the one marked "Microsoft Fix it 51010." Microsoft last offered a Fix It on Feb. 19, the same day it alerted customers of a security vulnerability in Internet Explorer 9 (IE9) and IE10.

The advisory provides other measures customers can take in lieu of a patch, including using EMET (Enhanced Mitigation Experience Toolkit), a tool that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications. Although it was originally designed for enterprise IT professionals, Microsoft has been touting its use as a security backstop for a wider audience of late.

EMET 4.1 can be downloaded from Microsoft's site.

Microsoft did not hint at when it would patch the Word bug, or whether it would go "out-of-band" and issue an emergency update before the next regularly-scheduled Patch Tuesday, which is April 8.

The Redmond, Wash. company rarely ships an out-of-band update unless attacks are widespread, which according to its Child's statement Monday, is currently not the case. The last out-of-band that Microsoft released was MS13-008, an emergency patch issued in January 2013 that plugged holes in IE6, IE7 and IE8 after the browsers had been exploited for several weeks.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

This story, "Microsoft warns Word users of ongoing attacks exploiting unpatched bug" was originally published by Computerworld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies