What the RTF? Mac and Windows users at risk from boobytrapped documents

Filed Under: Apple, Featured, Malware, Microsoft, Vulnerability

RTFIn the mid-1990s, the emergence of Word macro viruses - capable of infecting both Windows PCs and Apple Macs via Word documents - it was common practice to recommend users avoid sharing .DOC files and use Rich Text Format (.RTF) files instead.

The reasoning was that Rich Text Format didn't support the macro language that Microsoft had embedded inside .DOC files, and so it was a much safer way to share information in the office.

The latest batch of security bulletins issued by Microsoft, however, underline the importance of not thinking that any security advice should be written permanently in stone.

Microsoft has warned Windows and Mac users that they could be at risk from boobytrapped RTF files if they leave their copies of Microsoft Office unpatched:

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In shorthand that means a malicious attacker could send you a poisoned RTF file, and the simple act of you opening it in MS Word on a Windows or Mac computer could allow them to run malicious code. Potentially, for instance, they could open a backdoor that could allow them to gain remote access to your files or install further malware.


And don't be fooled into thinking this is the only threat related to RTF files. For instance, back in November 2010, a stack buffer overflow vulnerability (CVE-2010-3333) was patched by Microsoft. Despite a fix being available since then, we still see it being regularly exploited by cybercriminals.

Here's a podcast where Naked Security's Chet Wisniewski interviews SophosLabs expert Paul Baccas about how cybercriminals manipulate RTF files:

If you're an Apple Mac user, then it's important for you to know that Office 2008 and 2011 for Mac are at risk from the most recently announced vulnerability. You can either use the program's auto-updater to download the required security updates, or download the Microsoft Office 2008 for Mac 12.3.3 Update or Microsoft Office 2011 14.2.2 Update directly from Microsoft.

Updating Word for Mac

Note that if you rely solely upon the Software Update feature built into Mac OS X it will not update the Microsoft product.

With the current interest being shown by cybercriminals in infecting Macs, it would be extremely sensible for all users of Microsoft Office on the Mac to update their systems as a matter of priority.

PC users, meanwhile, should be aware that all editions of Word 2003, Microsoft Office 2007 ad Microsoft Compatibility Pack are affected by the vulnerability. Fixes for Windows users can be automatically downloaded via Microsoft Update or directly from Microsoft's website.

, , , ,

You might like

12 Responses to What the RTF? Mac and Windows users at risk from boobytrapped documents

  1. Hi Graham,

    'Mac and Windows users' ... You should have said 'RTF opening in Microsoft Office 2008 for Mac, Microsoft Office 2011 for Mac, Word for Windows 2003, MSO 2007...


    'Mac and Windows users'? ... You should have said 'RTF opening in Word for Mac or Windows

    It is very misleading that Mac or Windows are directly exploited by malicious code in RTF files.

    Also, it would have been a good idea to mention that opening RTF in other programs will not execute the code and that it is solely down to Microsoft Word to expose the user to the risk.

    • Thanks for your comment. I've updated the article to make clear that I was referring to opening the boobytrapped RTF file in Word.


  2. Spryte · 1243 days ago

    You mention only MS Word being affected.
    I'm suspecting it's that specific product's interaction with the OS that is the issue. Since I use RTF format most of the time but not MS Office I'd like to know if this vulnerability affects me using Wordpad or OOo/Libre Office to open RTF files?

  3. Robert Gracie · 1243 days ago

    I know if I receive anything with an RTF attached to it...its a scam and I don't open it...it gets deleted right away

  4. Colin · 1243 days ago

    I work almost exclusively with RTF, so I hope people don't delete them as a matter of course!

    I assume that not using Office [I use Bean/Pages] I have no issues with this.


  5. Courtenay · 1243 days ago

    Mac didn't have Office 2003. It was 2004, 2008, and 2011.

  6. Nigel · 1242 days ago

    "If you're an Apple Mac user, then it's important for you to know that Office 2003 and 2011 for Mac are at risk..."

    I assume that's a typo, and that you meant to say "Office 2008...for Mac". Office 2003 was a Windows version. Office 2004 for Mac is not listed by Microsoft as being affected by this vulnerability. Microsoft Security Bulletin MS12-029 lists only Office 2008 and 2011 for Mac as being affected.

  7. lewis.p · 1242 days ago

    people selling this exploit all over public foums and microsoft just release patches and dont seem to stop these same few sellers i see every severals days selling the latest exploits ? dissapointing

  8. Eldown S · 1242 days ago

    Does the Office 2008 and 2011 Mac vulnerability affect Regular Users, or both Admin and Regular Users?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley