Word 2010 Zero Day Vulnerability

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Normal Word exploits include  booby-trapped documents in the Rich Text Format (RTF) which exploit a vulnerability in the 2010 version of Microsoft Word, Microsoft warned in an advisory published Monday. Similar attacks work against other versions of Word, including 2003, 2007, and 2013 for Windows, Microsoft Office for Mac 2011, and multiple versions of Microsoft SharePoint Server. E-mails that are viewed or previewed using a default setting in Outlook allow the attacker to gain the same system privileges as the user who is currently logged in.

“Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word,” Monday’s advisory stated. “At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word or previews or opens a specially crafted RTF e-mail message in Microsoft Outlook while using Microsoft Word as the e-mail viewer.”

The advisory credited Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google security team with discovery of the RTF memory corruption bug, which is formally cataloged as CVE-2014-1761. Microsoft has issued a temporary fix that configures Microsoft Office to prevent the opening of RTF files in supported versions of Microsoft Word. Users can also protect themselves against exploits by viewing e-mails in plain text. Monday’s advisory said Microsoft may issue a permanent patch once an investigation into the vulnerability is completed.

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply