Microsoft recently released a new security advisory (Microsoft Security Advisory 2953095) in which details of a new zero-day vulnerability affecting Microsoft Word has been found. According to the advisory, the vulnerability could allow remote code execution through specifically crafted Rich Text Format (RTF) file or email. Also included with the advisory is a Microsoft Fix it solution, which will be detailed later in this post.
The Microsoft Word vulnerability
The recently discovered zero-day vulnerability in Microsoft Word is called a remote code execution vulnerability. According to the Microsoft advisory, the issue is caused when "Microsoft Word parses specifically crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code." Microsoft also warns that "an attacker who successfully exploited the vulnerability could gain the same user rights as the current user."
Due to this vulnerability, Microsoft Outlook can become vulnerable as well because Microsoft Outlook versions 2007, 2010 and 2013 use Microsoft Word as the default email reader.
Microsoft is reportedly working with its partners in investigating the new vulnerability and "will take appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update."
Microsoft also included two specific Mitigating Factors, which were:
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights
- In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted RTF file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website
Protecting yourself from the vulnerability
Along with the announcement of the zero-day vulnerability in Microsoft Word, Microsoft included the Microsoft Fix it solution, called "Disable opening RTF content in Microsoft Word," in order to help mitigate potential damage.
The Fix it page includes two download links intended to apply a quick fix for restricting access to the RTF vulnerability and disabling the RTF fix. Simply follow the link above to receive Microsoft's instruction on using their Fix it solution.