Microsoft posted a security advisory today for a newly discovered, unpatched vulnerability affecting Microsoft Word. An attacker could take advantage of the Microsoft Word Remote Memory Corruption Vulnerability (CVE-2014-1761) to gain remote access to the targeted computer. The advisory indicates that the vulnerability was exploited in limited, targeted attacks.
Users should not only be cautious about opening unknown RTF documents, but they should also avoid previewing these files in Outlook, as doing so could let the attackers exploit the vulnerability. Be aware that the default viewer for RTF documents attached to emails in several versions of Outlook is Microsoft Word.
While patches have not yet been made available, users can apply several workarounds to minimize the risk of exploitation. Microsoft has provided a Fix it solution, which disables the ability to open RTF content in Microsoft Word. Users can also configure Outlook to display emails only in plain text format to mitigate the issue.
Microsoft has confirmed that its Enhanced Mitigation Experience Toolkit (EMET) successfully blocks the exploit. This could be an alternative solution if other workarounds cannot be applied.
Users are advised to apply patches as soon as they are made available by the vendor.
Symantec Security Response offers the following detections to protect our customers from the CVE-2014-1761 exploit.
- System Infected: Fraudulent Digital Certificate
We are currently working on additional coverage and will update this blog in due course with more details.