Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Microsoft Word Zero-Day Used in Targeted Attacks

Vulnerability CVE-2014-1761 in Microsoft Word Could Allow Remote Code Execution, Microsoft Warns – Office 2011 for Mac Affected

Vulnerability CVE-2014-1761 in Microsoft Word Could Allow Remote Code Execution, Microsoft Warns – Office 2011 for Mac Affected

Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word that is being actively exploited in targeted attacks directed at Microsoft Word 2010.

“The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,” Microsoft explained in the advisory.

If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges.

Word Vulnerability Used in Targeted AttacksApplying the Microsoft Fix it solution, “Disable opening RTF content in Microsoft Word,” prevents the exploitation of this issue through Microsoft Word, Microsoft said.

Specifically, the issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted, giving a potential attacker the ability execute arbitrary code on the affected system.

“In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted RTF file that is used to attempt to exploit this vulnerability, Microsoft explained. “In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.”

“The in the wild exploit takes advantage of an unspecified RTF parsing vulnerability combined with an ASLR bypass, which depends by a module loaded at predictable memory address,” Chengyun Chu and Elia Florio, MSRC Engineering, explained in a blog post that provides additional details.

Fortunately, according to the Microsoft engineers, tests showed that EMET default configuration can block the exploits seen in the wild.

Advertisement. Scroll to continue reading.

The vulnerability could be exploited through Microsoft Outlook only when using Microsoft Word as the email viewer, Microsoft warned. By default, Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

While the reported attacks are targeting Microsoft Word 2010, other software products affected by the vulnerability include: Microsoft Word 2003, Microsoft Word 2007, Microsoft Word 2013, Microsoft Word Viewer and Microsoft Office for Mac 2011.

While Outlook 2013 is listed as vulnerable, Microsoft found that the current exploit fails and crashes on machines running Word 2013, due to ASLR enforcement built into the product.

Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft.

As an initial workaround until the bug is patches, Microsoft is providing a Fix it automated tool which uses Office’s file block feature and adds few registry keys to prevent opening of RTF files in all Word versions.

Enterprise security teams can also implement their own custom protection using Trust Center features of Office, Microsoft said, as these settings can be managed and deployed through GPO. 

*Updated with additional details.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.