Microsoft has detected a new zero-day exploit in their Microsoft Office Suite. This exploit in Microsoft Word could allow remote code execution in maliciously formed Rich Text Format (RTF) documents. This can even affect users using the Microsoft Outlook Preview Pane, which opens the preview in Microsoft Word. The document’s code corrupts system memory and executes attack code. It is OS-agnostic, even infecting users with the Microsoft Office Suite installed who use Microsoft Outlook and Word on their Macintosh. This attack is now public knowledge and currently found “in the wild.” It has already been used to attack Microsoft Word 2010 installations, but the vulnerability is spread throughout multiple versions of the Microsoft Office Suite from Microsoft Office 2003 to Microsoft Office 2013. It is also important to note that Microsoft Word is the default email previewer in Microsoft Outlook in Microsoft Office versions 2007, 2010, and 2013.
The exploit assumes the permissions of the current user it has infected. An attacker exploiting this code gains the potential for full operation of that user’s computer. The attacker could then use remote commands to install new software, manipulate the user’s data, and even create new accounts with administrative permissions for better access.
There is an automated “Fix-It” tool released by Microsoft until a patch is made available in the near future. This “Fix-It” tool disables the opening of RTF content in Microsoft Word. It can be found here: https://support.microsoft.com/kb/2953095
Microsoft also says that their Enhanced Mitigation Experience Toolkit also prevents code from running in a malformed RTF file. This option is a little more complicated to setup than the “Fix-It” tool above, so proceed with caution. http://support.microsoft.com/kb/2458544
Other forms of protection include blocking RTF files from opening in affected versions of Microsoft Word via Active Directory Group Policies. Clients utilizing an IT/365 managed service plan that includes Patch Management will automatically be patched as soon as an update is released from Microsoft.