Microsoft has warned customers of an as-yet unpatched zero-day vulnerability in its Microsoft Word and Outlook packages, which is under active attack to take control of targeted systems.
The flaw, described in Security Advisory 2953095
, relates to how both Word and Outlook deal with rich-text format (RTF) content. Typically safe from the malware and viruses that have plagued the company's own .DOC format, ne'er-do-wells have discovered a means of embedded executable code within an RTF which is then run under the privilege level of the currently logged-in user when the file is opened in Word or automatically loaded in the preview pane of Outlook.
That latter functionality is what gives real cause for concern: because Outlook versions since 2007 automatically parse RTF content and display it in-line within the preview pane, users can be exploited simply by opening an email - bypassing the usual need for the user to manually open the attached file. This does, however, only work if the system is configured to use Microsoft Word as the email viewer.
'At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010,
' Microsoft's Dustin Childs has confirmed in a statement to users. 'We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.
Although the targeted attacks currently concentrate on Word 2010, Microsoft has confirmed that the flaw exists in Word 2003, 2007, 2010, 2013, 2013 RT, Word Viewer, the Office Compatibility Pack, Office for Mac 2011, the Word Automation Services plugin for SharePoint Server 2010 and 2013, and Office Web Apps 2010 and 2013. The chances of anyone in an office environment not having one or more of the above installed, then, are slim - making this a serious issue.
Currently, there is no patch available. To keep users protected while a more permanent fix is developed, Microsoft has released a Fix It
which disables the loading of RTF content into Microsoft Word - closing the hole, but also making it impossible to work with the cross-platform document standard until the flaw is fixed properly.