Author Topic: MS Word vulnerability  (Read 1443 times)

0 Members and 1 Guest are viewing this topic.

Offline Maik

  • Administrator
  • Forum Deity
  • *****
  • Posts: 14570
MS Word vulnerability
« on: Tuesday, 25 March, 2014 @ 02:55:30 »
Quote
Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Applying the Microsoft Fix it solution, "Disable opening RTF content in Microsoft Word," prevents the exploitation of this issue through Microsoft Word.
http://technet.microsoft.com/en-us/security/advisory/2953095

Looks like the vulnerability could affect Word versions 2003 - 2013 and Word Viewer (see link above).

Temporary MS 'Fix it' available here: https://support.microsoft.com/kb/2953095

Offline Maik

  • Administrator
  • Forum Deity
  • *****
  • Posts: 14570
Re: MS Word vulnerability
« Reply #1 on: Saturday, 05 April, 2014 @ 06:28:56 »
Quote
On Tuesday, April 8, 2014, Microsoft is planning to release four (4) bulletins.  Two of the bulletins are identified as Critical with the other two as Important.

The updates address vulnerabilities in Microsoft Windows, Office and Internet Explorer.

The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095.  If the Fix it was installed on your computer, after installing the update, it will be necessary to disable the Fix it to ensure RTF files will again render normally.

As has been widely publicized, support ends for Windows XP and Office 2003 on April 8, 2014.  Thus, this will be the last security updates for those products.
http://securitygarden.blogspot.gr/2014/04/security-bulletin-advance-notice-for.html

'Un-Fix It' available via Fix It link above