The previously unknown vulnerability was discovered by members of Google's Security team and reported to Microsoft. It is a nasty ‘drive-by' bug that can infect a Word user who simply looks at an email in their Outlook preview pane – they don't have to open any attachment or click on any link.
The remote code execution bug enables an attacker to gain the same privileges as the legitimate user and so access corporate networks. It works by getting Word users to open a specially doctored Rich Text Format (RTF) file, or to view/open a specially crafted mail in Outlook while using Microsoft Word as their email viewer.
The bug is present in multiple Word versions – on Mac platforms as well as Windows. Microsoft has so far seen “limited targeted attacks directed at MS Word 2010” but the vulnerable software includes Word 2003, 2007 and 2013, and MS Office for Mac 2011.
The flaw can also be exploited through Outlook when the user has Word as their email viewer – and Word is the default email reader in Outlook 2007, 2010 and 2013.
Security expert Adrian Culley, a global technical consultant with Damballa, believes the bug has likely been used by cyber-criminals for some time.
He told SCMagazineUK.com via email: “This vulnerability gives an attacker full access to the machine at the same privilege level as the current user and has been in the wild for some time. Unfortunately the term zero-day is rarely very helpful, as it begs the question zero-day for whom? Certainly not for the attacker who, more often than not, may have been exploiting particular vulnerabilities for months if not years."
Microsoft says it is “working on a security update to address this issue“ – likely to be released on a future ‘Patch Tuesday' - but is urging users to adopt its quick-fix which is available here. This prevents Word users from opening RTF files.
In its 24 March security advisory admitting the flaw, Microsoft adds: “The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this vulnerability when configured to work with Office software.” EMET 4.1 with recommended settings is already suitably configured. Microsoft also shows users how to read all emails in plain text (not using Word).
Security specialist Wolfgang Kandek, CTO of Qualys, confirmed in an email to journalists that “to work with plain text in emails is generally a recommended safeguard that prevents the ‘drive-by' characters of these types of attacks”.
Culley added: “The vulnerability that this exploit relates to is alarming as it involved RTF format text, which is very common. Microsoft has chosen to issue an out-of-cycle patch for this, which everyone would be well advised to download and install as soon as possible.”
In its advisory, Microsoft details how the bug can be exploited: “In a web-based attack scenario, an attacker could host a website that contains a web page that contains a specially crafted RTF file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”
But Microsoft adds: “In all cases an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website”.
The company's public admission of the flaw is bound to increase the risk to users who do not react. Microsoft confirmed: “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
Microsoft credits Google's Drew Hintz, Shane Huntley and Matty Pellegrino with discovering the Word RTF memory corruption vulnerability, CVE-2014-1761.