Microsoft Announces Zero-Day Vulnerability in Word

WHAT IS THE SECURITY ALERT?

Microsoft issued Security Advisory (2953095) on 3/24/2014 alerting users to a vulnerability affecting Microsoft Word. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. The planted code runs with the same privileges as the user who opened the file.

Currently there is no patch available for this vulnerability, as Microsoft is still investigating. They, and Eden, have some suggestions (outlined below) on how to protect you from this vulnerability

WHICH VERSIONS OF MICROSOFT OFFICE ARE VULNERABLE?

On Windows, every version and service pack from Office 2003 to Office 2013 is vulnerable. In addition Office for Mac 2011 is also vulnerable, as are software packages that implement Word functionality in other products such as SharePoint or web services. The complete list is:

Microsoft Word 2003 Service Pack 3 Microsoft Word 2007 Service Pack 3 Microsoft Word 2010 Service Pack 1 (32-bit editions) Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 1 (64-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 (32-bit editions) Microsoft Word 2013 (64-bit editions) Microsoft Word 2013 RT Microsoft Word Viewer Microsoft Office Compatibility Pack Service Pack 3

Microsoft Office for Mac 2011 Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1 Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2 Word Automation Services on Microsoft SharePoint Server 2013 Microsoft Office Web Apps 2010 Service Pack 1 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps Server 2013

IS THERE AN ACTIVE ATTACK ON THIS VULNERABILITY?

Microsoft reports that there are limited attacks in the wild targeted at Office 2010, but that could change at any time. Most attack scenarios do require that the user open the malicious file, either from email, in the Outlook preview pane, from a web link, or from media such as a USB key, although simply previewing email with a malicious RTF body could trigger the vulnerability. While there are no “drive-by” web attacks enabled by this vulnerability, the malicious email scenario is concerning because it requires no user action that is out of the ordinary to trigger.

HOW CAN WE PROTECT OURSELVES AGAINST THIS VULNERABILTY?

The only effective defense at this time is to prevent users from opening RTF format files. Microsoft has a “Fix It” available that will disable all RTF functionality in Word and Outlook (https://support.microsoft.com/kb/2953095). Additional steps that you might take are:

 If you have an email security system, configure it to block or quarantine all RTF attachments.

 If you have a web security gateway, configure it to block download of all RTF attachments.

 Educate your users to the issues with RTF attachments, and suggest vigilance at home as well as work.

 When a patch is available, install it and undo these workarounds.

 Read emails in plain text. (Please note: Email messages in plain text format do not contain pictures, special fonts or other rich text content. If this option is deployed, communication to end users is highly recommended to provide clarity and direction.)

Although some of these suggestions may seem redundant, they will provide you with defense in depth, in case one measure doesn’t work.

Eden Technologies Page 2

DO I NEED TO INSTALL A PATCH WHEN IT COMES OUT?

Yes you do. Eden, Microsoft, and every security expert we know all recommend that you keep your systems patched and upgraded to supported versions of all software. In addition, the workarounds disable functionality that your users may need. Applying the patch and reversing the workarounds will restore that functionality for them.

Note that if the patch is released after April 8, 2014 then it will not be available for Office 2003. If you are still using Office 2003, you should plan an upgrade.

Have more questions about this vulnerability and your options?

Our Eden experts are actively monitoring this and other active security issues. We can also discuss with you your options in upgrading from Office 2003. Feel free to reach out to us with your questions or concerns at [email protected] or 212-206- 0030.

About Eden Technologies

Eden Technologies is an IT consultancy that addresses the challenges of delivering critical business data and applications to employees and clients, anytime, anywhere, on any platform.

Eden was founded in 2002 by two engineers who believe that focused thought, applied in a consistent manner, delivers great results. To that end, we approach every engagement, no matter the scale or impact with a well proven methodology that defines success. This methodology combined with a team of 100+ thoughtful, experienced and engaging engineers allows us to focus on delivering a high value user experience. Some call it excellence, we call it Done. Done.™

Eden Technologies Page 3