Outlook Users Face Zero-Day AttackSimply previewing maliciously crafted RTF documents in Outlook triggers exploit of bug present in Windows and Mac versions of Word, Microsoft warns.
Windows 8.1 Update 1: 10 Key Changes
(Click image for larger view and slideshow.)
There is a new zero-day attack campaign that's using malicious RTF documents to exploit vulnerable Outlook users on Windows and Mac OS X systems, even if the emailed documents are only previewed.
That warning was sounded Monday by Microsoft, which said that it's seen "limited, targeted attacks" in the wild that exploit a newly discovered Microsoft Word RTF file format parser flaw, which can be used to corrupt system memory and execute arbitrary attack code.
"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," said a Microsoft's security advisory. "If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
[Are you prepared for the end of Windows XP support? Read Windows XP: Feds Brace For End Of Support.]
The only related in-the-wild exploits of the flaw (CVE-2014-1761) seen to date have targeted Microsoft Word 2010. But the vulnerability is present in multiple Windows versions of Word (2003, 2007, 2010, 2013), Word Automation Services on Microsoft SharePoint Server (2010 and 2013), and Microsoft Office Web Apps (2010 and Server 2013). In addition, the bug is also present in Microsoft Office for Mac 2011.
While the vulnerability technically exists in Word, it's being exploited when Word is set to be the email viewer for Outlook, which is the typical setup. "By default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013," according to Microsoft.
How can Outlook and Word users mitigate the vulnerability? Microsoft has detailed multiple workarounds -- all temporary -- pending its release of security patches. One workaround is an automated "Fix It" tool for Microsoft Word (2010, 2013) and Office (2003, 2007), which will "disable RTF as a supported format in Microsoft Office," Wolfgang Kandek, CTO of Qualys, said via email. An Active Directory Group Policy can also be set to block RTF files for affected versions of Word.
Outlook can also be set to read in plaintext all "standard" emails -- meaning messages that aren't digitally signed or encrypted -- which will block related attacks. According to Microsoft, using plaintext strips the "junk tags" used by attackers from RTF documents. It said attackers have also included a secondary attack that bypasses address space layout randomization (ASLR) and then uses return-oriented programming (ROP) to execute shell code, which installs a backdoor onto the affected system, and "phones home" to a command-and-control server via encrypted SSL traffic.
Microsoft said its Enhanced Mitigation Experience Toolkit (EMET), when installed on a system and configured to work with Microsoft Office, also appears to block related attacks. "Our tests showed that EMET default configuration can block the exploits seen in the wild," according to a Microsoft Security Research and Defense blog post written by Microsoft engineers Chengyun Chu and Elia Florio. "In this case, EMET's mitigations such as 'Mandatory ASLR' and anti-ROP features effectively stop the exploit."
Multiple security experts have warned that anyone using the vulnerable Microsoft software should tap one or more of the mitigation techniques, since the bug will likely soon be exploited on a much more wide-scale basis.
If news of the RTF vulnerability creates a sense of déjà vu, that's because attacks involving maliciously crafted documents that could exploit systems just when previewed used to be a more common occurrence.
"This isn't, of course, the first time that malware has been able to infect computers just by emails being read -- as opposed to links being clicked on, or attachments opened," said Graham Cluley, an independent security researcher, in a blog post. "Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread."
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)
Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio