A new zero-day attack is taking aim at Microsoft Word 2003 and newer, exploiting the application by way of rich text format (RTF) files. Although Microsoft has not yet patched the vulnerability, there are a few steps users can take to help protect their systems.
Those receiving credit for discovering the vulnerability, Google’s security team, claim that it can be used to gain the same user rights as whoever is using the machine at the time of infection. Specifically, Microsoft states, “the issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code.”
Once infected a criminal has the ability to execute any code they wish.
What makes this vulnerability particularly threatening is the fact that Microsoft Outlook 2007 and newer by default use Word to preview attachments. This means your users do not need to double click an RTF attachment to open it. Simply clicking it once will possibly run the exploit from the preview pane.
So far Microsoft has released a workaround that simply blocks all RTF files with a Microsoft Trust Center registry entry. Until there’s a permanent security patch for this vulnerability, two steps you can take to help protect against this vulnerability are to disable the opening of RTF files and to adjust Trust Center settings to force Word to open RTF files in “Protected View.” Another step is to disable document preview in Outlook. Safe Systems recommends disabling RTFs in the trust center either by the registry or with the Microsoft Fix It (MicrosoftFixit51010.msi). Either one can be deployed to your endpoints by group policy or by an inventory management scripting engine, such as NetComply. After a security patch is released, this temporary workaround can be reversed by toggling the bit in the registry or by running another Microsoft Fix It (MicrosoftFixit51011.msi).
Safe Systems has developed and tested a script to disable the opening of RTF files on its customers’ and internal machines. The image below is an example of the pop up in Word when an end user attempts to open or save an RTF document after the script has successfully run.