New Microsoft Advisory: Unpatched Word Flaw used in Targeted Attacks
Last Updated: 2014-03-24 19:43:23 UTC
by Johannes Ullrich (Version: 1)
Microsoft today published a new security bulletin, announcing that it has seen a new Word 2010 exploit used in recent targeted attacks. The exploit uses a so far unpatched vulnerability in Word that is triggered by opening a crafted RTF document.
To prevent exploitation of the vulnerability, Microsoft released a "Fix It" that will prevent Word from opening RTF documents. 
Frequently RTF ("Rich Text Format") is used as a more portable way to exchange documents with basic formatting elements. The Fix-It may not be appropriate if you use RTF documents regularly. However, given that RTF documents are portable and can be opened by other software, it MAY be ok to just use software other then word to open the document.
This vulnerability is identified by CVE-2014-1761.
More details about the exploit can be found in Microsoft's "Security Research and Defense Blog" . It points out that EMET can help block the exploit if the "Mandatory ASLR" and the "Anti-ROP" features are selected. This may be of help if you can't stop opening RTFs altogether. Word 2013 appears vulnerable, but the exploit fails due to ASLR and "just" crashes Word 2013.
The blog post also includes indicators of compromise for the particular exploit seen.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
The registry entries involved and their settings are
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock key RtfFiles value 2
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock key OpenInProtectedView value 0
Mar 27th 2014
9 years ago