Microsoft: 0Day Exploit Targeting Word, Outlook

Microsoft: 0Day Exploit Targeting Word, Outlook

http://krebsonsecurity.com/2014/03/microsoft-warns-of-word-2010-exploit/

Microsoft warned today that attackers are exploiting a previously unknown security hole inMicrosoft Word that can be used to foist malicious code if users open a specially crafted text file, or merely preview the message in Microsoft Outlook.

In a notice published today, Microsoft advised:

“Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

To be clear, Microsoft said the exploits it has seen so far attacking this vulnerability have targeted Word 2010 users, but according to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.

Microsoft says it’s working on an official fix for the flaw, but that in the meantime affected users can apply a special Fix-It solution that disables the opening of RTF content in Microsoft Word. Microsoft notes that the vulnerability could be exploited via Outlook only when using Microsoft Word as the email viewer, but by default Word is the email reader in Microsoft Outlook 2007Outlook 2010 and Outlook 2013.

One way to harden your email client is to render emails in plain text. For more information on how to do that with Microsoft Outlook 2003, 2007, 2010 and 2013, see these two article

 

Read email messages in plain text

Applies to: Outlook 2010

If you have security concerns about reading HTML-formatted messages, you can have Outlook display messages that you open in plain text. However, reading messages in plain text doesn’t provide complete protection against all email message hazards.

  1. Click the File tab.
  2. Click Options.
  3. Click Trust Center, and then click Trust Center Settings.
  4. Click E-mail Security.
  5. Under Read as Plain Text, select the Read all standard mail in plain text check box.

To include messages signed with a digital signature, select the Read all digitally signed mail in plain text check box.

NOTE    If you want to view a plain text message in its original format, click the InfoBar, and choose either Display as HTML or Display as Rich Text.

 

 

Advertisements

About skicat56

Snow Sports Industry veteran – Husband – Father – Network IT Ninja & Former Powncer. Old enough to know better but young enough to start a new career.
This entry was posted in Microsoft, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s