Rich Text Format Zero-Day Vulnerability Found



Microsoft have today issued a warning that its Word application is vulnerable to a Rich Text Format (RTF) zero-day exploit. The vulnerability, present in Microsoft Word 2010, would allow the attacker to perform remote code execution if exploited. Microsoft have commented to state that they are aware of the vulnerability, however, have only seen it executed in a limited fashion but only highly skilled attackers. They went on to state that if exploited, the vulnerability could allow the attacker to gain the same level of privileges as the current logged in user.

The payload is delivered in a RTF (rich text format) file that is opened by the victim. The RTF file will have been injected with malicious code that exploits a vulnerability in Microsoft Word 2010 and allows the attacker to gain privileges in line with the current logged in user. The attacker can then remotely executed code on the system. Microsoft have stated that the exploit can also be executed through Microsoft Outlook if Microsoft Word is set as the email viewer.

It is recommended that firstly, and most importantly, only a handful of known users are acting with advanced privileges on the system. This is access control 101 and should be part of your network access controls anyway – account management and monitoring should occur on a regular basis. If only a small number of users are able to operate with advanced privileges this reduces the attack surface initially.

Secondly, it is highly recommended that rich text format documents are not opened in Microsoft Word by default. Again, this will reduce the exploit method for the attacker. For example, if a rich text format file is sent to a victim machine, if the machine is configured to only open RTF format files in another program such as notepad, then the exploit will not be able to run.

This major rich text format vulnerability was credited to Google for discovery and listed on the vulnerability database under CVE-2014-1761. Further details can be found on Microsoft Support. As it currently stands, there is no patch to secure this vulnerability, however, Microsoft have disclosed that this will be included as soon as they are able to mitigate it in the next patch cycle.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *