More IT Grief: Office Exploit Broadly Released

• By William Jackson
• 01/06/11

Code that can exploit a Rich Text Format flaw in Microsoft Office has been published, according to a Microsoft announcement late last month.

The good news is that IT pros who applied Microsoft November patch for this exploit have addressed that RTF vulnerability in Office. However, those behind on completing their patching tasks may need to find the time, especially with the general availability of the attack code. The Office flaw just adds to IT woes. Microsoft also recently issued a security advisory concerning a Windows graphics rendering engine flaw. Additionally, there's a Microsoft security advisory released on Internet Explorer, plus Microsoft is investigating a proof-of-concept flaw in Internet Information Services FTP 7.5.

Microsoft released a patch for the Office RTF vulnerability, known as CVE-2010-3333, in November, and no widespread outbreaks of exploits have yet been reported. The public availability of an exploit lowers the bar for attackers, however, and increases the urgency for seeing that affected software is patched.

"Hopefully, everybody is adhering to best practices and patching as soon as possible," said Joshua Talbot, security intelligence manager for Symantec Security Response. "If people haven't made this a priority, now would be a good time."

The RTF Stack Buffer Overflow Vulnerability affects Microsoft Office XP and Office 2003 Service Pack 3, Office 2007 SP2, as well as Office 2010 32-bit and 64-bit editions. Microsoft described the vulnerability and released a patch for it in its November security bulletin. A flaw in the way Office software processes RTF data can allow an attacker to take control of the victim's computer to install programs; view, change, or delete data; or create new accounts with full user rights.

The vulnerability was rated important or critical, depending on the platform.

"We predicted at the time that it would become a target of attackers," Talbot said. "Since then we've seen a number of attacks in the wild, but no widespread exploitation."

But with the public availability of attack code, that could change. "The main concern is that the exploit is available so that less-skilled attackers can use it," Talbot said.

Microsoft's Malware Protection Center Blog reported Dec. 29 that a sample of a successful exploit for this vulnerability able to execute malicious shellcode that downloads other malware had been found a few days before Christmas.

"The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one," Microsoft reported in its MMPC blog. "The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack."

In addition to patching affected software, Microsoft recommended using Office File Block to block opening RTF documents from unknown or untrusted sources.

Because the vulnerability exists in Office software, Microsoft Outlook also could be used as a vector for delivering attacks by sending an RTF message by e-mail and having it open automatically in the Outlook preview pane. The current exploit uses only RTF Word documents, however, which could reduce the danger because it would require the recipient to open the document rather than having this happen automatically.

Microsoft advised reading e-mails only in plain text formats as a workaround. Users of Outlook 2002 who have applied Office XP Service Pack 1 or a later version can require that messages that are not digitally signed or encrypted be read only as plain text.