In the mid-1990s, the emergence of Word macro viruses – capable of infecting both Windows PCs and Apple Macs via Word documents – it was common practice to recommend users avoid sharing .DOC files and use Rich Text Format (.RTF) files instead.
The reasoning was that Rich Text Format didn’t support the macro language that Microsoft had embedded inside .DOC files, and so it was a much safer way to share information in the office.
The latest batch of security bulletins issued by Microsoft, however, underline the importance of not thinking that any security advice should be written permanently in stone.
Microsoft has warned Windows and Mac users that they could be at risk from boobytrapped RTF files if they leave their copies of Microsoft Office unpatched:
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
In shorthand that means a malicious attacker could send you a poisoned RTF file, and the simple act of you opening it in MS Word on a Windows or Mac computer could allow them to run malicious code. Potentially, for instance, they could open a backdoor that could allow them to gain remote access to your files or install further malware.
And don’t be fooled into thinking this is the only threat related to RTF files. For instance, back in November 2010, a stack buffer overflow vulnerability (CVE-2010-3333) was patched by Microsoft. Despite a fix being available since then, we still see it being regularly exploited by cybercriminals.
Here’s a podcast where Naked Security’s Chet Wisniewski interviews SophosLabs expert Paul Baccas about how cybercriminals manipulate RTF files:
If you’re an Apple Mac user, then it’s important for you to know that Office 2008 and 2011 for Mac are at risk from the most recently announced vulnerability. You can either use the program’s auto-updater to download the required security updates, or download the Microsoft Office 2008 for Mac 12.3.3 Update or Microsoft Office 2011 14.2.2 Update directly from Microsoft.
Note that if you rely solely upon the Software Update feature built into Mac OS X it will not update the Microsoft product.
With the current interest being shown by cybercriminals in infecting Macs, it would be extremely sensible for all users of Microsoft Office on the Mac to update their systems as a matter of priority.
PC users, meanwhile, should be aware that all editions of Word 2003, Microsoft Office 2007 ad Microsoft Compatibility Pack are affected by the vulnerability. Fixes for Windows users can be automatically downloaded via Microsoft Update or directly from Microsoft’s website.
12 comments on “What the RTF? Mac and Windows users at risk from boobytrapped documents”
‘Mac and Windows users’ … You should have said ‘RTF opening in Microsoft Office 2008 for Mac, Microsoft Office 2011 for Mac, Word for Windows 2003, MSO 2007…
‘Mac and Windows users’? … You should have said ‘RTF opening in Word for Mac or Windows
It is very misleading that Mac or Windows are directly exploited by malicious code in RTF files.
Also, it would have been a good idea to mention that opening RTF in other programs will not execute the code and that it is solely down to Microsoft Word to expose the user to the risk.
Thanks for your comment. I’ve updated the article to make clear that I was referring to opening the boobytrapped RTF file in Word.
You mention only MS Word being affected.
I'm suspecting it's that specific product's interaction with the OS that is the issue. Since I use RTF format most of the time but not MS Office I'd like to know if this vulnerability affects me using Wordpad or OOo/Libre Office to open RTF files?
According to Microsoft, it’s a vulnerability in the MS Office product line.
I know if I receive anything with an RTF attached to it…its a scam and I don't open it…it gets deleted right away
I work almost exclusively with RTF, so I hope people don't delete them as a matter of course!
I assume that not using Office [I use Bean/Pages] I have no issues with this.
Mac didn't have Office 2003. It was 2004, 2008, and 2011.
"If you're an Apple Mac user, then it's important for you to know that Office 2003 and 2011 for Mac are at risk…"
I assume that's a typo, and that you meant to say "Office 2008…for Mac". Office 2003 was a Windows version. Office 2004 for Mac is not listed by Microsoft as being affected by this vulnerability. Microsoft Security Bulletin MS12-029 lists only Office 2008 and 2011 for Mac as being affected.
Sorry. Yes, my fault. 2008 it is. Now corrected in the post
Thanks to you and others who spotted this.
people selling this exploit all over public foums and microsoft just release patches and dont seem to stop these same few sellers i see every severals days selling the latest exploits ? dissapointing
Does the Office 2008 and 2011 Mac vulnerability affect Regular Users, or both Admin and Regular Users?