Zero-day vulnerability found in Microsoft Word being actively exploited

By on March 25, 2014, 7:30 AM
office, microsoft office, security, word, vulnerability, zero-day, microsoft word

A zero-day vulnerability affecting Microsoft Word has been discovered, and it's being exploited in the wild, according to a Microsoft Security Advisory published on Monday. The vulnerability concerns Rich Text Format (RTF) documents, which can be booby-trapped and used to remotely execute code on the victim's PC.

Specifically, RTF files can be modified to cause the corruption of system memory in such a way that code could be executed. When a user opens the file in Microsoft Word, or previews a specially-crafted RTF email in Microsoft Outlook, a skillful attacker could execute code and gain the same privileges as the user. This could cause all sorts of havoc, including a remote takeover of the PC in question.

Microsoft says limited attacks are targeting Microsoft Word 2010, although Word 2003, 2007 and 2013 are all vulnerable, as is Office for Mac 2011 and several versions of SharePoint Server.

While Microsoft is completing an investigation into the vulnerability, the company advises that you configure Microsoft Office in such a way that RTF files cannot be opened by Word. Another form of protection can come through forcing Outlook to view emails in plain text.

Meanwhile, security experts at Microsoft are working towards "appropriate action" that will most likely include a security update for the affected software. The company's security advisory credits the Google Security Team for the discovery of the memory corruption vulnerability.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.