Exploit for critical flaw in MS Office found in the wild
Could allow remote execution of code via RTF Word files
- By William Jackson
- Jan 04, 2011
An exploit has been discovered in the wild that can successfully attack a critical vulnerability in the way Microsoft Office handles Rich Text Format data, allowing remote execution of code on a victim computer.
Microsoft released a patch for the vulnerability, known as CVE-2010-3333, in November, and no widespread outbreaks of exploits have yet been reported. The public availability of an exploit lowers the bar for attackers, however, and increases the urgency for seeing that affected software is patched.
“Hopefully, everybody is adhering to best practices and patching as soon as possible,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “If people haven’t made this a priority, now would be a good time.”
Patch management: It's not sexy, but it can keep you secure
Microsoft wants more control over vulnerability information
The RTF Stack Buffer Overflow Vulnerability affects Microsoft Office XP and Office 2003 Service Pack 3, Office 2007 SP2, as well as Office 2010 32-bit and 64-bit editions. Microsoft described the vulnerability and released a patch for it in its November security bulletin. A flaw in the way Office software processes RTF data can allow an attacker to take control of the victim's computer to install programs; view, change, or delete data; or create new accounts with full user rights.
The vulnerability was rated important or critical, depending on the platform.
“We predicted at the time that it would become a target of attackers,” Talbot said. “Since then we’ve seen a number of attacks in the wild, but no widespread exploitation.”
But with the public availability of attack code, that could change. “The main concern is that the exploit is available so that less-skilled attackers can use it,” Talbot said.
Microsoft’s Malware Protection Center Blog reported on Dec. 29 that a sample of a successful exploit for this vulnerability able to execute malicious shellcode that downloads other malware had been found a few days before Christmas.
“The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one,” Microsoft reported in its MMPC blog. “The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack.”
In addition to patching affected software, Microsoft recommended using Office File Block to block opening RTF documents from unknown or untrusted sources.
Because the vulnerability exists in Office software, Microsoft Outlook also could be used as a vector for delivering attacks by sending an RTF message by e-mail and having it open automatically in the Outlook preview pane. The current exploit uses only RTF Word documents, however, which could reduce the danger because it would require the recipient to open the document rather than having this happen automatically.
Microsoft advises reading e-mails only in plain text formats as a workaround. Users of Outlook 2002 who have applied Office XP Service Pack 1 or a later version can require that messages that are not digitally signed or encrypted be read only as plain text.
William Jackson is a Maryland-based freelance writer.