Microsoft Warns of Malicious RTF Files, Remote Code Execution


On Monday, Microsoft issued a security advisory (2953095) notifying IT professionals and end-consumers of a vulnerability affecting “supported versions of Microsoft Word.”

Per the advisory, specific rich text files (.RTF) that can be opened or previewed using many Microsoft software products, specifically Microsoft Word (2003-2013)and related service packs, could leave users vulnerable to remote code execution.

shutterstock_155815598If successful, the attacker could gain the same user rights as the legitimate user. The impact of a successful attack depends on the rights of the given user (e.g., standard, administrative). Please note that Microsoft Word 2010 is also the default email reader for in Microsoft Outlook 2007, Microsoft Outlook 2010 and Microsoft Outlook 2013.

While Microsoft is currently working on a fix, they suggest to “Disable opening RTF content in Microsoft Word” to prevent exploitations.

According to InfoWorld’s Woody Leonhard, the vulnerability was discovered by Google early their year. Leonhard goes on to explain that RTF is a Microsoft standard the company created in 1987 — and the file type hasn’t received much maintenance or development since.

“Every single version of Word for Windows — going all the way back to Word 1.0 in 1989 — reads and writes RTF files. Every. Single. One,” said Leonhard. “Yet 25 years later, we’re still seeing dangerous, drive-by-caliber security holes in the way Word handles RTF.

“And every time Microsoft tells us about an RTF hole in Word, its immediate suggestion is to simply disable RTF in Word. That’s what happened this time, too.”

Microsoft offers a variety of mitigating factors — including Web-based attack scenarios — to help end-users understand the ramifications of a successful attack.

It is advised that until Microsoft releases a fix for this issue, refrain from opening RTF files.

For a detail explanation of the issue, mitigations, attack vectors, possible exploits and more, please read Security Advisory 2953095: recommendation to stay protected and for detections on Microsoft’s Security Research and Defense Blog.


Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 5,000 organizations spanning 85 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI.


Add to the Conversation