Security Alert: New Targeted Microsoft Word Zero Day

By gTIC ·

Microsoft has recently become aware of a potentially dangerous exploit in Microsoft Office using an RTF (Rich Text File) or Microsoft Outlook with Microsoft Word configured as the primary document viewer (KB2953095/CVE-2014-1761). User interaction is not required through this exploit as viewing the file through the preview pane could still lead to an infection. Once infected, the exploit allows the attack to gain remote access into the targeted system and give the attacker the same user rights as the user currently operating the machine.

While the primary vector of attack has targeted Microsoft Office Word 2010, researchers say that the vulnerability can affect Word 2003, 2007, 2013, Office 2013 RT, Office for Mac, Office Web Apps 2010 and 2013 and Word Viewer.

The recent discovery of this vulnerability has led Microsoft to release the “Fix It Solution” as recommended on its vulnerability release which disables opening RTF content in Microsoft Word until a complete patch is available.

While information on this vulnerability is still coming to light, it is important that vulnerabilities such as this are communicated to personnel at all levels with the recommendation of viewing emails in “plain text only” until a full patch of the vulnerability can be released.

The danger of this exploit lies just as much in the ease of attack as the inherited remote access user privilege level gained. Any unexpected emails that contain a RTF should not be viewed due to the ability of preview mode in Outlook still able to infect the targeted machine.

At this time, Microsoft does not, or has not released information concerning who is being targeted by this attack. FishNet Security recommends that all users of Microsoft Word take precaution at this time and ensure the best practice of least privilege is followed.


Additional Information

Microsoft Security Tech Center | March 24, 2014
https://technet.microsoft.com/en-us/security/advisory/2953095

The Threat Post | By Michael Mimoso | March 24, 2014
http://threatpost.com/targeted-attacks-exploit-microsoft-word-zero-day/104980

Qualys Community | March 24, 2014
https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/03/24/new-0-day-out-for-microsoft-word