Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Microsoft Word RTF Vulnerability Could Allow Remote Code Execution


Report ID: MAPP-CVE20141761
Date Published: 7 April 2014
Date Revised:

Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote


Affected Product/Component:

Microsoft Word 2013 RT
Microsoft Word 2013 (32-bit & 64-bit versions)
Microsoft Word 2010 SP1 & SP2 (32-bit & 64-bit versions)
Microsoft Word 2007 SP3
Microsoft Word 2003 SP3
Microsoft Word Viewer
Microsoft Office Compatibility Pack SP3
Microsoft Office for Mac 2011
Word Automation Services on Microsoft SharePoint Server 2013
Word Automation Services on Microsoft SharePoint Server 2010 (SP1 & SP2)
Microsoft Office Web Apps Server 2013
Microsoft Office Web Apps 2010 (SP1 & SP2)




Summary

A vulnerability in Microsoft Word could, if successfully exploited, lead to remote code execution.



Detailed Description

A vulnerability in the way Microsoft Word parses Rich Text Format (RTF) files could lead to system memory corruption that could allow an attacker to gain the same user rights as the current user. If the user has full administrative rights on the system, the attacker could gain complete control of the compromised system. A user with fewer user rights may be less impacted.

To exploit this vulnerability, an attacker must lure the targeted user into opening specially crafted RTF content using the affected Word software. The content may be delivered via e-mail or hosted on a malicious webpage.

F-Secure Internet Security 2014 (with DeepGuard version 5) is able to detect and block this threat. For more information, please see:

In addition, F-Secure detects the files taking advantage of this vulnerability with these generic detections:

  1. Exploit.CVE-2014-1761.A - starting in Aquarius database version 2014-04-03_03, which was released on 4 April 2014
  2. Exploit:W32/CVE-2014-1761.A - starting in Hydra database 2014-04-04_02, which was released on 4 April 2014

Please allow F-Secure products to block installation of files that take advantage of this vulnerability.



CVE Reference

CVE-2014-1761



Detected Exploit

Detections
Exploit.CVE-2014-1761.A
Exploit:W32/CVE-2014-1761.A

Databases
Aquarius database version 2014-04-03_03 at 15:25:48 UTC
Hydra database version 2014-04-04_02 at 18:43:49 UTC

Release Dates
7 April 2014
7 April 2014



Solution

Microsoft recommends disable RTF viewing and/or enforce Word to open RTF files always in Protected View in Trust Center settings. In addition, a Fix it automated tool has been provided to faciliate implementing these workarounds. Complete instruction is available from Microsoft Security Advisory (2953095).

 

Removal/Disinfection
Allow F-Secure Internet Security or F-Secure Anti-Virus to block installation of malicious files, and to remove or disinfect malicious files if found on the system.

 



Additional Info




Online Scanner

 Scan and clean your PC

 

Submit a sample

Wondering if a file or URL is malicious?

Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)