Microsoft warned users about a zero-day vulnerability in all the versions of Microsoft Word that is being actively exploited in targeted attacks, involving Rich Text Format file and Microsoft Outlook email client.
The company has issued an emergency quick fix for the zero-day flaw and advises users to consider using this temporary patch to thwart ongoing attack attempts.
The vulnerability was reported to Microsoft by Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team.
Microsoft disclosed the vulnerability in a security bulletin explaining that the flaw was being exploited in “limited, targeted attacks” directed at Word 2010.
According to the advisory, the attacker can simply infect the victim’s system with malware if the user opens a malicious Rich Text Format (RTF) file, or merely preview the message in Microsoft Outlook. When successfully exploited, the flaw can give an attacker the same rights as that of the user. The company has rolled out a “Fix it” temporary workaround which disables RTF support in Word.
“The vulnerability is a remote code execution vulnerability. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code,” Microsoft said in its advisory.
“The vulnerability could be exploited through Microsoft Outlook only when using Microsoft Word as the email viewer. Note that by default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.”
Microsoft said it is “working on a security update to address this issue” that is likely to be rolled out with the next ‘Patch Tuesday’ security updates on April 8. The company, however, advises users to adopt the quick-fix.