Microsoft issues alert for Word zero-day - booby-trapped RTF files already used in attacks

Filed Under: Featured, Malware, Microsoft, Security threats, Vulnerability, Windows

Microsoft has issued an emergency security alert about an in-the-wild exploitable vulnerability in Word.

To clarify the jargon in that first sentence:

  • A vulnerability is the flaw that caused the bug that could let crooks get in.
  • An exploit is a way for the crooks to use a vulnerability in practice, and actually get in.
  • In the wild means the crooks not only can get in, but are actively doing so already.

If that sounds rather bad, it is.

Usually, Microsoft's updates appear in a regular, frequent and predictable way, published on Patch Tuesday, the second Tuesday of every month.

This is a good approach for patching vulnerabilities for which no known exploit yet exists, or exploits that were discovered by Microsoft's own researchers, or holes that were found privately and responsibly disclosed to Microsoft so it could fix them before they became publicly known.

It gives Microsoft time to test, and test again, that the patches don't cause problems that outweigh the security risk or, worse, open up yet more security holes.

And it lets IT teams plan their routine patching to minimise disruption.

But when the crooks start using an exploit before a patch is available, the hole is rather quaintly called a zero-day, or 0-day (pronounced "oh day"), because the maximum number of days you could have been patched ahead of the exploit was zero.

Many, if not most, software vulnerabilities are hard to exploit, meaning that even if you patch some time after the fix was available, you might get lucky.

The crooks might never actually manage to work out how to turn the vulnerability into a practicable exploit. (This is rather dramatically called weaponising a vulnerability.)

But in the case of a zero-day, the weaponisation has already happened.

That's the case with this latest alert about what is known as CVE-2014-1761, as Microsoft explains:

Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnera­bility could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

Sophos products detect booby-trapped files exploiting this vulnerability as Exp/20141761-A.

This sounds surprisingly like two existing, well-known Word exploits that have been widely used over the past few years.

These previous exploits are two and four years old respectively, and go by the tags CVE-2010-3333 and CVE-2012-0158.

SophosLabs researcher Gabor Szappanos (Szappi) recently published a paper analysing the historical record of these two vulnerabilities - both are generally exploited by what Microsoft above calls "specially crafted RTF files" - and discovered an interesting phenomenon.

Szappi noticed the 2010 and 2012 exploits were intially seen almost exclusively in attacks that were probably initiated for intelligence gathering purposes, presumably by hackers paid to conduct national or industrial espionage.

But over the past year, that has changed so that these exploits now appear frequently in broader attacks mounted by cybercriminals focused on making money through bots and zombies.

Don't wait for that to happen here - mitigate the CVE-2014-1761 problem right away!

You can reduce your exposure to attacks delivered in RTF files with these steps:

1. Block RTFs at the gateway.

Consider blocking or quarantining these files by type or extension at your email gateway.

Sophos's Email Appliance and UTM products can do this for you.

2. Stop RTFs opening in Word.

Consider using Microsoft's Fix it solution to turn off Word's ability to open and view RTF content altogether.

3. Use Microsoft's EMET.

Consider using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as a way to sandbox Microsoft Office to make it harder to exploit.

EMET can prevent unpatched vulnerabilities from being successfully weaponised.

4. Switch to plain text in email.

If you use Outlook, consider switching your email to plain text.

This makes some emails, such as marketing mails and newsletters, harder to read.

But it limits your risk when reading emails containing booby-trapped content.

By the way, when a permanent fix for CVE-2014-1761 comes out, take the opportunity to make sure that you aren't missing the patches for CVE-2010-3333 and CVE-2012-0158.

The fact that cybercrooks are still making extensive use of these holes, years on, suggests that many people still aren't patched.

That might be because they aren't patching at all, but seems equally likely that even users and IT administrators who try to be faithful about Microsoft updates may be lacking one or two fixes, exposing them to the very holes that cybercriminals are adept at jumping through.

NB. Article updated at 2014-03-25T14:30Z to clarify that only a workaround is currently available from Microsoft, not a permanent patch.

, , , , , , , ,

You might like

38 Responses to Microsoft issues alert for Word zero-day - booby-trapped RTF files already used in attacks

  1. RichardD · 557 days ago

    So where's the patch? It's not on Windows Update, and none of the pages you've linked to mention a patch; they only mention workarounds.

    • Paul Ducklin · 557 days ago

      Correct: I've updated the article to make this quite clear.

  2. For a non techie, what does this mean? That Word files coming into your email as attachments could have a virus or a worm? What if you don't have a workgroup, etc and don't often receive Word files from someone else? What if you only open emails from sources you trust?

    • Paul Ducklin · 557 days ago

      Loosely speaking, yes, there could be a virus or worm in a Word file. (Strictly speaking, most threats these days aren't viruses or worms - i.e. they don't spread onwards from your computer, they infect you and stay put. But the danger to you is the same. I'll use the word "malware," meaning "malicious software," in place of "virus.")

      The technical idea is that a crook deliberately creates a Word file that includes a fragment of a malware program, mixed in with the document, where you simply don't expect it.

      Then the crook bends and twists the Word file, so to speak, so that when you open it, Word crashes (that's the "vulnerability" part) but in such a way that the fragmentary program hidden inside gets to run (that's the "exploit" part).

      If that happens, simply opening up the booby-trapped Word file to read it will be enough for the crook to infect you with malware.

      However, in this particular incident, the only so-far-known way to get the attack to work is by using a Word file in what's known as RTF (rich text format).

      Most people exchange Word files in DOC or DOCX format, and don't use RTF files at all. So the Microsoft "Fix It" mentioned above will protect you a lot - it prevents your copy of Word from opening RTF files, so if someone sends you an RTF, it's essentially harmless because Word will ignore it.

      As for only opening attachments from email sources you trust: that is a VERY good idea! If only everyone would do it!

      It isn't 100% foolproof (your trusted friend could be infected, and might pass on an infected file by mistake), but it will GREATLY reduce your risk. Most attacks of the sort described in the article don't come from people you know. They come from people who *pretend* to know you or to have business with you.

      (Here an example of how the guys try to trick you: "Here is your invoice for charges of $263 on your card. To see your account or to dispute the charges, please open the attached file." Or they say: "This is [Well Known Courier Company]. We tried to deliver a parcel to [your business address] but failed. Please open the attached file for instructions on how to arrange a convenient time for delivery." All a pack of lies, but lots of people assume there is no harm in looking, just in case - *even though they have never heard of the sender before*. Stick to trusted email sources, and use the Fix It to block RTF files, and a lot of the risk described above is removed.)

  3. M.Keighley · 557 days ago

    Patch ? I see no patch. Just a security advisory. Nothing in WSUS either.

    • Paul Ducklin · 557 days ago

      Sorry - article has been updated to make this clear. There is nothing in WSUS yet [2014-03-25T14:30Z]. See above for mitigations, and for what Sophos Anti-Virus blocks exploit files as...but, indeed, no permanent "immunisation" update yet.

  4. Jeanne Busch · 557 days ago

    Do you know if this applies to those of us who have not seen a reason to update to Office 2010? Are 2007 and 2003 also vulnerable?

    • Paul Ducklin · 557 days ago

      Office 2003 and 2007 are on Microsoft's list (click on the "Security Advisory" image above to go to the relevant Microsoft advisory page).

      So, yes, they are vulnerable (i.e. contain the buggy code).

      But, as mentioned above, not every vulnerability can be turned into a working exploit, and so far, the only known successful attacks are against Office 2010.

      Never say never, of course...for all we know, a crook could figure out tonight how to extend the attack to 2003 and 2007. But at the moment, you're OK if you do not have Office 2010.

      Similarly, a crook might find out how to extend the attack to DOC or DOCX files, not only RTFs. But at the moment, blocking RTFs via the Fix It is a good stopgap.

  5. JJ · 557 days ago

    Ok so what happens if an infected RTF file is opened by say wordpad or another program like open office, would that execute the malware ???

    • Paul Ducklin · 557 days ago

      No. Open Office doesn't use any of the software components from Microsoft Word, so it doesn't have this bug. And as far as I know, Wordpad doesn't either (because Wordpad works without Office installed).

      So if you use the Microsoft Fix It, which means you can't open RTFs in Word (by accident or design), and then you _do_ happen to receive an RTF, and you _do_ know the sender, and you _are_ ready to trust the could always open it with Wordpad instead, just to have a look. It might be very slightly less convenient than your usual workflow but it effectively lets you have your cake and eat it.

      • JJ · 557 days ago

        just change the default program for RTF to wordpad then if word is installed and it is set for that file extension.

  6. Detlev Rackow · 557 days ago

    Actually, it's not really an out-of-band-patch. What the fix-it does, is block some functionality (opening of rtf-files), probably via a registrykey. It is standard-procedure for Microsoft to provide quick mitigating solutions, and this fix-it falls in line with this standard behaviour.

    • Paul Ducklin · 557 days ago

      True. In fact, I've removed that bit about 'out-of-band' fixes. As you say, there isn't a permanent "that bug no longer exists" update yet, just a workaround.

  7. MikeP_UK · 557 days ago

    Another solution is to not use Microsoft Word at all, there are several other alternatives - such as LibreOffice, OpenOffice, etc. They themselves may have vulnerabilities too.

  8. Stephan van Hulst · 557 days ago

    I don't know the details of the vulnerability, but wouldn't it be easy to fool the user by changing the extension to .doc? Most programs don't look at the extension to read the file, they only look at the internal format.

    This means that until a patch comes out, you should distrust any extension associated with Word.

    • Paul Ducklin · 557 days ago

      My understanding is that the "Fix It" turns off the code inside Word that actually processes RTF content.

      So the extension is irrelevant - if you load a file called THIS.DOC or THAT.DOCX that is, in fact, a misnamed but booby-trapped RTF, then Word will simply not process the file (it effectively no longer knows how to). So the exploit can't trigger.

  9. LonerVamp · 557 days ago

    I always get the best looks from the business (and even technical teams!) with item #4: Switch to plain text in email.

    • Paul Ducklin · 557 days ago

      Well...that's Microsoft's suggestion, bless their hearts! I thought it was great! I suspect that about 5% of the emails I get actually benefit from HTML, and of that 5%, about 0.5% actually require it. But, as you say, not a popular suggestion.

      Q. How do I put a cute wallpaper image behind my emails in plain text mode?

      A. You don't. That's one of the benefits of plain text email.


  10. Mike B · 557 days ago

    I don't (I think) have Word installed on my Win7 x64 system. I use Wordpad for viewing RTF files. Is this also vulnerable?

    • Paul Ducklin · 557 days ago

      To the best of my knowledge, Wordpad is not vulnerable. (Wordpad works without Office installed, so it doesn't use the buggy components.)

  11. L. Addison · 557 days ago

    Does this apply to Word 2011 (Mac) as well?

    • Paul Ducklin · 557 days ago

      No. And yes :-) According to Microsoft's list of at-risk products, the vulnerable code is in the Mac version of Word.

      But the only attack files so far seen, and the ones that provoked Microsoft to issue the alert, are RTF files targeting Office 2010 on Windows.

      There's a link in the article to Microsoft's report on the actual techie details of the exploit - as you will see if you look at it, the attack is non-trivial, and rather specific. I dont think the current attack files could be adapted to work on a Mac: an attacker would pretty much have to start from scratch to weaponise the bug on OS X.

      If you're worried, why not set Pages as the default program to open document attachments on your Mac? (If you have Mavericks, Pages is now free.)

      That way you won't get any surprises, and you can re-load the file later in Word if you need or want to.

      • Canuck · 556 days ago

        Pages is sometimes overkill for a text file.

        TextEdit comes on every Mac and works great on rtf files.

        • Paul Ducklin · 556 days ago

          Perfectly true! (I suggested Pages because it's closer to Word in functionality - if you're expecting a Word-like environment, TextEdit might be a bit startlingly basic, but if all you want to do is take a look at an RTF, it's great.)

  12. Sylvio Haas · 557 days ago

    Hi, sorry for the probably stupid question, but what are RTF files? Could you please give me an example? Thank you.

    • Paul Ducklin · 557 days ago

      RTF is "rich text format." It's just a way of saving Word files, similar to DOC or DOCX, except that the file is stored using a text-based representation.

      So, just as you can have images in JPG, PNG, BMP format, and so on, you can save documents in DOC, DOCX, RTF and more.

      A different part of the Word software is used to process RTF files when you open them. It's that part of Word 2010 that the crooks have worked out how to abuse.

      Using the Fix It listed above lets you turn of the RTF-loading part of Word - so DOC and DOCX files will load in but RTF-type files won't. That increases your safety.

      RTF files can actually be opened in a text editor like NOTEPAD, and the raw "rich text" viewed, something like this:

      {\rtf1\ansi\ansicpg1252\uc1\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\...\fprq2{\*\panose 02020603050405020304}Times New Roman;}...

      ...and so on. Note the text "rtf1" at the start - that denotes it's an RTF file. It's just one of many ways of encoding and storing Word documents.

      • Sylvio Haas · 557 days ago

        Thank you very much for the excellent and thorough explanation!

  13. hotdoge3 · 557 days ago

    Use Microsoft's EMET. is very good if you set it up right & don't use word.

    LibreOffice, OpenOffice is better

  14. Stephen Frede · 557 days ago

    The reference to the Sophos detection is at odds with the Sophos page at

    Do you have a reference for the Sophos detection of this vulnerability?

    • Paul Ducklin · 556 days ago

      The Sophos detection name is as given in the article: Exp/20141761-A.

      For some reason, the Labs guys don't put the detection names in the vulnerablity articles. I'm assuming they don't list the detections because often there's a huge list of possibly-relevant names, e.g. for an IE Cumulative Update...but for Microsoft bulletins that deal with a single vulnerability, it might be worth doing so.

      I'll pass on your comment as a suggestion, if you don't mind :-)

  15. Calista · 556 days ago

    This makes me thankful to have switched to Open Office, even though I don't like it nearly as much as the older version of Microsoft Word I used to use. Will a good, comprehensive internet security program, like Kaspersky or Trend Micro protect from this type of malware?

    • Paul Ducklin · 556 days ago

      I can tell you whether Sophos will protect you :-) (Blocked as Exp/20141761-A, as mentioned above.)

      As for other'll have to ask them. A decent product ought to - and if you've got "defence in depth" you should get multiple chances to stop malicious objects, e.g. at your email gateway (if sent as an attachment); in your UTM web filter (if part of a web page); in your browser; on download but before the file actually opens up. If you stop the file anywhere before it "gets into" Microsoft Word, you win.

  16. Dorse · 556 days ago

    Hmmmm. What about, in OS X, using TextEdit to open RTF files, which are their main format? Would highlighting, copying and pasting the content into a blank Word document pass along the malware?

    • Paul Ducklin · 556 days ago

      No. Pasting the file out of TextEdit might pass along any *formatting* mangulations caused by TextEdit, but pasting text into Word doesn't generate an RTF file.

      You only get an RTF out of Word if you explicitly save as an RTF the content you pasted into it. Of course, you don't have to do that - you could save it as a DOCX, for example. (While this scare is on, you might as well avoid saving RTFs, so you don't panic the next guy :-)

      Anyway, the RTFs generated by the crooks were not produced naturally by Word's "Save As RTF" option. They were, to use the jargon, "specially crafted," probably by hand or using a custom-made RTF-bodging script.

  17. Just commenting · 556 days ago

    Isn't the issue a little more extensive than just Word?

    "using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer."

    " Note that by default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013."

    The implication of these comments appears to be that just viewing a specially crafted RTF email message in the default configuration of Outlook leaves you vulnerable.

    This seems to be much more serious than the typical opening an attached file to get infected type of attack that your article seems to imply.

    • Paul Ducklin · 556 days ago

      Yes, Outlook is affected, though the bug *is in Word*, so if you apply the Fix It, you prevent RTFs from rendering in Word-via-Outlook.

      Also, we do mention "switch to plain text email in Outlook" (as suggested by Microsoft) above.

      I originally mentioned Outlook explicitly in the article, but it was hard to avoid making it sound OTT (as though there was also a bug in Outlook itself), given that the flaw is in Word and the Word-based workaround sorts out the issue for any application that uses Word for rendering.

      I might add something in given that it seems the preview pane in Outlook could be enough on its own. (Click that Fix It, I reckon!)

  18. Michigander · 544 days ago

    Is it possible to get clarification of what an "RTF email message" looks like and how it can be identified? For example, does it necessarily have an attachment such that the message is listed with a paperclip in the list of messages inside Outlook? Based on the section "Differences between the message formats" seen at, I'm not sure that the malicious message will necessarily show with attachments. It's amazing that Microsoft is not more clear about this and has not done more to publicize the issue.

    • Outlook emails created in RTF format are not attachments, but rather a separate message part just like plain text and HTML. The Outlook renderer is not vulnerable to this flaw.

      If someone attaches an RTF it will show up as an attachment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog