Microsoft issued a security advisory for the presence of a zero-day vulnerability in Microsoft Word products which allows a remote code execution.

Another zero-day vulnerability is threatening the Microsoft world, the news was issued by Microsoft through an official security advisory (CVE-2014-1761). The vulnerability is present in Microsoft Word product, it allows a remote code execution that can be exploited by attackers using a specially crafted Rich Text Format (RTF) document. Such kind of vulnerabilities are essential components for targeted attacks like spear-phishing offensives, the specific zero-day flaw is being actively exploited in wild. 

“Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. ”

The advisory publicly refers the support from received by Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting the Word RTF Memory Corruption zero-day Vulnerability.

 “At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010…” company said. 

According to Microsoft’s security advisory, Microsoft Word is vulnerable to a remote code execution vulnerability (CVE-2014-1761) that can be exploited by a specially crafted Rich Text Format (RTF). An Attacker can simply infect the victim’s system with malware if a user opens a malicious Rich Text Format (RTF), or merely preview the message in Microsoft Outlook.

“The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code.“

Microsoft reported that remote code execution zero-day vulnerability affects Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011. 

The official patch will be released by Microsoft with next security updates on April 8^th, waiting for that that date, follow the mitigation factors proposed by Microsoft:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
• In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted RTF file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

Pierluigi Paganini

(Security Affairs –  Zero-day, Microsoft)