Redmond must be focused on its April 2 Build 2014 developers’ conference and the release of Windows 8.1.1 — there are no new updates this week.
Use this reprieve from patching to follow up on some lingering update problems and a new Word zero-day threat.
MS releases fixit for new Word vulnerability
On Monday, March 24, Microsoft released Security Advisory 2953095, which warns of active zero-day attacks directed at Word 2010 users. The threat comes from malicious RTF files that are opened in Word or — potentially — previewed in Office.
While we wait for an official update, a Microsoft Security Research and Defense Blog post offers the following suggestions:
- If you have the latest Enhanced Mitigation Experience Toolkit (EMET; site) installed in its default configuration, you’re protected.
- If you can’t install EMET or want still more protection, MS Support article 2953095 includes a fixit that will block RTF files from being opened in Word.
- Network administrators can use the Windows Trust Center to make their own custom File Block settings (more info) to block RTF files.
And I’ll add one of my own. Consider installing PocketKnife Peek (site), a tool that lets you preview your email as plain text before opening it. It works on 32-bit versions of Office 2000 to 2013.
Brian Krebs noted in his security blog that merely previewing the file in Outlook could allow an attack. But I’m not sure that’s exactly true. The aforementioned SRD blog states, “There is a theoretical Outlook attack vector for RTF vulnerabilities through the preview pane. The reduced functionality of the preview pane makes this attack vector extremely hard to carry, and, to date, we have never seen exploits leveraging this mechanism.”
What to do: I recommend installing EMET 4.1 (site) rather than relying on the fixit. But if you’re not comfortable installing EMET or you run into problems after installation, then the fixit (site) mentioned above is the next-best bet for now. Again, there are already a few reports of active attacks.
Nonsecurity Office updates turn app tiles blank