Targeted Attacks Exploit Microsoft Word Zero Day

Microsoft issued an advisory today warning of targeted attacks against a zero-day vulnerability in Microsoft Word. The exploits in the wild target Word 2010, but the Office software is vulnerable all the way back to Word 2003.

Targeted attacks have been spotted against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue a special security advisory and produce a Fix-it solution for users until a patch is ready.

Microsoft also said that its Enhanced Mitigation Experience Toolkit (EMET) is a temporary mitigation for the zero-day. Some versions of EMET would have to be configured to work with Microsoft Office in order to ward off exploits; EMET 4.1 is already configured for Office, for example.

While attacks are currently targeting Microsoft Word 2010, Microsoft said the vulnerability affects Word 2003, 2007, 2013 and 2013RT, as well as Office for Mac, Office Web Apps 2010 and 2013, and Word Viewer.

An attacker could exploit the vulnerability with a malicious Rich Text Format file or email in Outlook configured to use Microsoft Word as the email viewer, said Dustin Childs, a Trustworthy Computing group manager at Microsoft.

The vulnerability can also be exploited over the Web where an attacker could host a website containing a malicious RTF exploit, or upload a malicious RTF exploit onto a site that accepts user-provided content. Victims would have to be enticed into opening the content; an exploit cannot be triggered without user interaction.

The Fix it disables opening of RTF content in Word, Microsoft said.

“The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code,” Microsoft said in its advisory, adding that Word is by default the email reader in Outlook 2007, 2010 and 2013.

Microsoft said it could release an out-of-band patch, but more likely it will wait until its next Patch Tuesday security updates are released on April 8. That date also signals the end of support for Windows XP, Microsoft announced some time ago.

Microsoft has made it a common practice to release Fix it mitigations or recommend the use of EMET as a temporary stopgap while zero-day vulnerabilities are being actively exploited in the wild. The last one issued was in February for a string of attacks against a zero day in Internet Explorer.

The vulnerability in IE 10 was exploited by two different hacker groups against government and aerospace targets in the U.S. and France respectively. The same use-after-free vulnerability was present in IE 9 but was not being exploited.

EMET has also been a popular mitigation recommendation from Microsoft against memory-based vulnerabilities. The toolkit contains a dozen mitigations that fend off buffer overflow attacks and others that allow attackers to execute code on vulnerable machines.

Most recently, Microsoft released a technical preview of EMET 5.0 that included two new exploit mitigations. Researchers, however, have been finding moderate success in developing bypasses for some of the protections bundled in with EMET.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.