0-Day Fixes

Microsoft Word RTF vulnerability could allow remote code execution

Report ID: MAPP-CVE20141761
Date Published: 7 April 2014
Date Revised:  
Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote
Affected Product/Component:
Microsoft Word 2013 RT
Microsoft Word 2013 (32-bit & 64-bit versions)
Microsoft Word 2010 SP1 & SP2 (32-bit & 64-bit versions)
Microsoft Word 2007 SP3
Microsoft Word 2003 SP3
Microsoft Word Viewer
Microsoft Office Compatibility Pack SP3
Microsoft Office for Mac 2011
Word Automation Services on Microsoft SharePoint Server 2013
Word Automation Services on Microsoft SharePoint Server 2010 (SP1 & SP2)
Microsoft Office Web Apps Server 2013
Microsoft Office Web Apps 2010 (SP1 & SP2)


A vulnerability in Microsoft Word could, if successfully exploited, lead to remote code execution.

Detailed Description

A vulnerability in the way Microsoft Word parses Rich Text Format (RTF) files could lead to system memory corruption that could allow an attacker to gain the same user rights as the current user. If the user has full administrative rights on the system, the attacker could gain complete control of the compromised system. A user with fewer user rights may be less impacted.

To exploit this vulnerability, an attacker must lure the targeted user into opening specially crafted RTF content using the affected Word software. The content may be delivered via e-mail or hosted on a malicious webpage.

F-Secure Internet Security 2014 (with DeepGuard version 5) is able to detect and block this threat. For more information, please see:

In addition, F-Secure detects the files taking advantage of this vulnerability with these generic detections:

  1. Exploit.CVE-2014-1761.A - starting in Aquarius database version 2014-04-03_03, which was released on 4 April 2014
  2. Exploit:W32/CVE-2014-1761.A - starting in Hydra database 2014-04-04_02, which was released on 4 April 2014

Please allow F-Secure products to block installation of files that take advantage of this vulnerability.

CVE Reference

  • CVE-2014-1761

Detected Exploit

  • Exploit.CVE-2014-1761.A
  • Exploit:W32/CVE-2014-1761.A
  • Aquarius database version 2014-04-03_03 at 15:25:48 UTC
  • Hydra database version 2014-04-04_02 at 18:43:49 UTC
Release Dates
  • 7 April 2014
  • 7 April 2014


Microsoft recommends disable RTF viewing and/or enforce Word to open RTF files always in Protected View in Trust Center settings. In addition, a Fix it automated tool has been provided to facilitate implementing these workarounds. Complete instruction is available from Microsoft Security Advisory (2953095).


Allow F-Secure Internet Security or F-Secure Anti-Virus to block installation of malicious files, and to remove or disinfect malicious files if found on the system.

Original Source

Microsoft Security Advisory (2953095)