Vulnerability in Microsoft Word Could Allow Remote Code Execution

ITS Advisory Number: 
2014-028b
Date(s) Issued: 
Monday, March 24, 2014
Date Updated: 
Tuesday, April 8, 2014
Subject: 
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Overview: 

A vulnerability has been discovered in Microsoft Word that could result in remote code execution. This vulnerability requires that a user open or preview specially crafted RTF-formatted data with an affected version of Microsoft Office software. Successful exploitation could result in the attacker gaining the same user rights as the current user.ÿDepending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Please note that there is no patch available at this time. Microsoft is aware of limited, targeted attacks directed at Microsoft Word 2010.

APRIL 8, 2014 - UPDATED OVERVIEW:
Microsoft has released a patch for this vulnerability with MS14-017.

Systems Affected: 
  • Microsoft Word 2003
  • Microsoft Word 2007
  • Microsoft Word 2010
  • Microsoft Word 2013
  • Microsoft Office for Mac 2011
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

ORIGINAL DESCRIPTION:

A vulnerability has been discovered in Microsoft Word that could result in remote code execution. This vulnerability could be exploited if a user opens a specially crafted RTF file using an affected version of Microsoft Word. The user could also preview or open a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. ÿBy default, Microsoft Word is the email reader in Outlook 2007, Outlook 2010 and Outlook 2013. Successful exploitation could result in the attacker gaining the same user rights as the current user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Please note that there is no patch available at this time. Microsoft is aware of limited, targeted attacks directed at Microsoft Word 2010.

APRIL 8, 2014 - UPDATED DESCRIPTION:
Microsoft has released a patch for this vulnerability with MS14-017.

A vulnerability has been discovered in Microsoft Word that could result in remote code execution. This vulnerability could be exploited if a user opens a specially crafted RTF file using an affected version of Microsoft Word. The user could also preview or open a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. ÿBy default, Microsoft Word is the email reader in Outlook 2007, Outlook 2010 and Outlook 2013. Successful exploitation could result in the attacker gaining the same user rights as the current user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Please note that there is no patch available at this time. Microsoft is aware of limited, targeted attacks directed at Microsoft Word 2010.

APRIL 8, 2014 - UPDATED DESCRIPTION:
Microsoft has released a patch for this vulnerability with MS14-017.

Actions: 
  • Consider implementing the workaround provided by Microsoft (https://support.microsoft.com/kb/2953095)
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to download or open files from un-trusted websites.
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
References: 
Microsoft:
https://technet.microsoft.com/en-us/security/advisory/2953095
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761
APRIL 8, 2014 - UPDATED REFERENCE:
Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms14-017