LFI to RCE via access_log injection

Microsoft Word Zero-Day Vulnerability is being exploited in the Wild



Microsoft warned about a zero-day vulnerability in Microsoft Word that is being actively exploited in targeted attacks and discovered by the Google security team. “At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010…” company said.

According to Microsoft's security advisory, Microsoft Word is vulnerable to  a remote code execution vulnerability (CVE-2014-1761) that can be exploited by a specially crafted Rich Text Format (RTF).

An Attacker can simply infect the victim's system with malware if a user opens a malicious Rich Text Format (RTF), or merely preview the message in Microsoft Outlook.

"The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code."

Microsoft acknowledged that remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.

Microsoft is working on an official patch, which will be released with the next Patch Tuesday security updates on April 8.

But in the meantime, Windows users can use temporary 'Fix It' tool to patch this vulnerability and also can install Enhanced Mitigation Experience Toolkit (EMET) tool that can mitigate this vulnerability.

Do not download .RTF files from the suspicious websites, and do not open or preview .RTF email attachments from strangers.

Comments