Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New Microsoft Advisory: Unpatched Word Flaw used in Targeted Attacks - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Microsoft Advisory: Unpatched Word Flaw used in Targeted Attacks

Microsoft today published a new security bulletin, announcing that it has seen a new Word 2010 exploit used in recent targeted attacks. The exploit uses a so far unpatched vulnerability in Word that is triggered by opening a crafted RTF document.

To prevent exploitation of the vulnerability, Microsoft released a "Fix It" that will prevent Word from opening RTF documents. [1][2] 

Frequently RTF ("Rich Text Format") is used as a more portable way to exchange documents with basic formatting elements. The Fix-It may not be appropriate if you use RTF documents regularly. However, given that RTF documents are portable and can be opened by other software, it MAY be ok to just use software other then word to open the document.

This vulnerability is identified by CVE-2014-1761.

More details about the exploit can be found in Microsoft's "Security Research and Defense Blog" [3]. It points out that EMET can help block the exploit if the "Mandatory ASLR" and the "Anti-ROP" features are selected. This may be of help if you can't stop opening RTFs altogether. Word 2013 appears vulnerable, but the exploit fails due to ASLR and "just" crashes Word 2013. 

The blog post also includes indicators of compromise for the particular exploit seen.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Mar 24th 2014
The Microsoft Fix-It for this issue appears to work by setting registry keys for the current user. If you try to roll it out with most automated tools you may only be mitigating the problem for the administrative login that runs the Fix-It and not the end users.

The registry entries involved and their settings are

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock key RtfFiles value 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock key OpenInProtectedView value 0

Sign Up for Free or Log In to start participating in the conversation!