Attacks target Microsoft Word zero day

Criminals are exploiting users in attacks against Microsoft Word thanks to a zero day vulnerability found in the platform.

The attacks could trigger remote code execution by tricking users into opening or previewing a Rich Text Format (RTF) or Outlook file if Microsoft Word is used as the default program.

This would occur without triggering a warning or error notifications.

Microsoft has issued an automated tool to plug the vulnerability (CVE-2014-1761) until a patch is issued.

Attackers could target users via email since Word is the default word processor for Microsoft Outlook, and could compromise machines via crafted phishing sites.

"At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010," Microsoft Trustworthy Computing group communications manager Dustin Childs wrote in a notification.

"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

"In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted RTF file that is used to attempt to exploit this vulnerability."

Attackers could also target users by uploading crafted RTF documents to websites that host user content or advertisements.

User accounts that have fewer access rights may be less impacted, Microsoft said.

The flaw exists in the way Word parses RTF files, and affects 2010, 2007 and 2003 versions of the program, as well as the tablet offering 2013 RT and Word 2011 for Mac. Office Web Apps 2010 and 2013 along with Word Viewer are also affected.

Google security engineers Drew Hintz, Shane Huntley and Matty Pellegrino reported the vulnerability.

Microsoft has offered a Fix it solution which would prevent RTF files from opening in Microsoft Word. It did not offer a date for when a patch may be released or whether it would fork out for a costly out-of-band patch, which was last pushed out in February to squash attacks targeting Internet Explorer.

Users should deploy Microsoft's EMET (Enhanced Mitigation Experience Toolkit) version 4.1 which makes exploitation on Windows machines more difficult by enabling defences such as address space layout randomisation and data execution prevention.

They could also alter email client settings to render emails in plain text.