Microsoft's KB 2953095 Word security hole is part of ongoing embarrassment

Microsoft posted a Fix-it for a new rendering flaw with RTF -- a standard the company created in 1987 and hasn't changed since 2008

Earlier this year, three researchers at Google told Microsoft about yet another RTF rendering security hole in Word. Yesterday Microsoft issued Security Advisory 2953095 describing the vulnerability. The company also offered a baby-and-bathwater solution to the problem: Click on the proffered Fix-it, and your version of Word won't be able to recognize any RTF files -- corrupt, valid, or indifferent, RTF support gets cut off at the knees.

Here's the official pronouncement:

Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.

Dustin Childs at the Microsoft Security Response Center goes on to explain:

As part of the security advisory, we have included an easy, one-click Fix it to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code ... We encourage all customers using Microsoft Word to apply this Fix it to help protect their systems.

Gregg Keizer at Computerworld has a better English-language description of the problem:

Affected software also includes Word 2003, Word 2007, Word 2013 and Word 2013 RT, the version especially crafted for Microsoft's Windows RT tablet operating system. Office for Mac 2011's version of Word is also vulnerable.

Because Word is the default editor for Outlook 2007, Outlook 2010 and Outlook 2013 on Windows, attackers can trigger the vulnerability simply by getting potential victims to open or even just preview a malformed message. Microsoft also said that cyber criminals could conduct "drive-by" attacks -- the term for exploits triggered when a user browses to a malicious page -- that leverage the vulnerability in RTF parsing.

It always boils my blood when I see an RTF vulnerability in Word -- and we've seen a lot of them. Just off the top of my head, there was a zero-day exploit in September 2010, another in December 2008, another in December 2012, and one in May 2012, and that's a very abbreviated list. They all trace their origins to problems with Word's handling of RTF files.

Which is, if you'll pardon the timeworn phrase, S-T-U-P-I-D.

Microsoft invented the RTF format. Security folks in Redmond don't like to admit it (many of them seem to have forgotten), but RTF and Word have been tied together since the beginning. It isn't like some standards body invented RTF and Word had to adapt to an alien format. The two original Word developers, Richard Brodie and Charles Simonyi, created Rich Text Format back in 1987.

Every single version of Word for Windows -- going all the way back to Word 1.0 in 1989 -- reads and writes RTF files. Every. Single. One. Yet 25 years later, we're still seeing dangerous, drive-by-caliber security holes in the way Word handles RTF.

And every time Microsoft tells us about an RTF hole in Word, its immediate suggestion is to simply disable RTF in Word. That's what happened this time, too.

The RTF specification is ancient. Microsoft hasn't changed the spec since 2008, when RTF was codified for Word 2007. Yet six years later, we're still seeing drive-bys. Astounding.

This story, "Microsoft's KB 2953095 Word security hole is part of ongoing embarrassment," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies