On 24 March Microsoft released details about a vulnerability in Microsoft Word that can be used to infect computers with malware. The disturbing part however, is that computers can be infected from just ‘previewing’ an email in Microsoft Outlook.
It’s this method of infecting a PC which makes this vulnerability so dangerous because for the malware to be installed, a user isn’t required to open an attachment or click a link.
Microsoft published the following statement on their website:
Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
The default email reader for Outlook 2007, 2010 and 2013 is Word.
Whilst Microsoft is working on providing a patch for this vulnerability, they have strongly advised that users should disable the opening of RTF content in Word. Alternatively, you could switch to reading emails in plain text.
It’s imperative that all those who could possibly be affected by this vulnerability understand the severity of the danger it poses.