Vulnerability in Microsoft Word Could Allow Remote Code Execution

  • Article

 

Updates are Now Available:

Find these links located on the following Office Update Blog

https://blogs.technet.com/b/office_sustained_engineering/archive/2014/04/08/april-2014-office-update-release.aspx

 

As reported, Microsoft is working on a fix to address the recently reported Vulnerability with RTF files in Microsoft Word.

The following Security blog contains some good information about the vulnerability.

 

Date for Office Patch

Microsoft Plans to address this issue with an update on April 8th.  

The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010. The update will fully address all affected versions.

https://blogs.technet.com/b/msrc/archive/2014/04/03/advance-notification-service-for-the-april-2014-security-bulletin-release.aspx 

 

Microsoft provides vulnerability information to major security software providers that can then use this information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners .

 

Mitigation using File Block

One of the points of mitigation for the Windows versions of Word is to enable the File Block options for the Rich Text Format (RTF). This option is available in the Trust Center for Word 2010 and 2013.

 

Figure 1: File Block Settings in the Trust Center.

 

Registry keys for the RTF File Block

The registry keys for 2013 and 2013 are a little different from those for 2003 / 2007. With the later versions, the key has changed to one key from a separate key for Open and Save as in 2003 / 2007.

  • Word 2013

HKCU\Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles
 Dword value=2

  • Word 2010

[HKCU\Software\Microsoft\Office\14.0\Word\Security\FileBlock\]
"RtfFiles"=dword:00000002

  • Word 2007

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\FileOpenBlock]
 "RtfFiles"=dword:00000001

  • Word 2003

Windows Registry Editor Version 5.00
 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
 "RtfFiles"=dword:00000001

Deploying using a Group Policy

Here are some various articles around the Administrative templates for the various Office versions and deploying Office keys via a Group Policy.

Available Policy Template Downloads (contains the File Block items)

Group Policy Templates:

More Information:

 Macintosh

We do not have any means to mitigate this from the Macintosh environment as we have with the File Block for RTF options that the security advisory discusses. The Macintosh versions do not have this infrastructure for blocking the various file types and instigating Protected View.