On Monday of this week, Microsoft released an “out of band” security advisory regarding a serious vulnerability in all supported versions of Microsoft Word that is already being exploited in the wild. There are several ways a computer user could fall prey to the attacks. This includes Word 2003 SP3, 2007 SP3, 2010 SP 1 and 2, 2013 and 2013 RT. It also affects Office for Mac 2011, Office Web Apps 2010 SP 1 and 2, Office Web Apps Server 2013, and the Word Viewer and Office Compatibility Pack.
The exploit takes advantage of the way Word handles files in the .RTF format (rich text). A specially crafted email message or a malicious web site can serve as the delivery mechanism. The user doesn’t have to actually open the email; it can do its dirty work if the message is simply previewed in Outlook because the Word rendering engine is used as Outlook’s email editor. You do not have to have Word itself installed for this exploit to work.
If you have Word 2003, you can disable Word as the email editor/viewer. In Office 2007 and later versions, Word is the only email editor/viewer in Outlook and cannot be turned off. However, the exploit requires that HTML email be enabled. You can set all versions of Outlook to display messages in plain text only.
The exploit works by creating memory corruption which in turn can be used to run remote code under the same rights and privileges as the currently logged-on user. Obviously this means it’s especially dangerous when logged on as an administrator, as the attacker would be able to perform all admin functions including taking complete control of the system and installing software, deleting data and creating new user accounts.
The Enhanced Mitigation Experience Tool (EMET) can help to mitigate this vulnerability. EMET v. 4.1 automatically protects Word; EMET 3.0 will need to be configured to add Word and Outlook to the list of applications to be protected. You can configure EMET via Group Policy.
There are also several workarounds until such time as Microsoft develops a patch to address this. You can view email in plain text only as mentioned above, but this may render picture-heavy messages unreadable and links in messages will not be clickable. You can also use Group Policy or the Office Customization Tool (OCT) to block Word from opening .RTF files or you can apply the Fix It solution that automatically disables the opening of .RTF content in Word. You can find a link to the Fix It solution in KB article 2953095.
If you have security software deployed in your organization, you already have added safeguards against these types of vulnerabilities. For example, GFI MailEssentials scans and will catch many exploits that are delivered via attachments. GFI WebMonitor protects against malicious files that are delivered via drive-by downloads from web sites. Your best defense is a multi-layered approach, utilizing proactive protections as well as targeted mitigations.