Just previewing an Outlook email could infect your computer. Microsoft warns of zero-day flaw

RTFMicrosoft has warned computer users that malicious hackers are exploiting a previously unknown vulnerability in Microsoft Word, in order to infect computers with malware.

Worryingly, the zero-day attack means that users’ computers can be infected simply by *previewing* a specially crafted email message in Microsoft Outlook.

In other words, it’s not necessarily to actually open an malicious attachment or click on a dangerous link to put your computer in danger.

Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

Sign up to our free newsletter.
Security news, advice, and tips.

Although Microsoft states that the targeted attacks it has seen so far have been directed at users of its Word 2010 product, it’s clear that the remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, as well as Office for Mac 2011.

Microsoft Outlook 2007, 2010 and 2013 all use Word by default as the email reader.

Microsoft is hopefully beavering away on a proper patch, but in the meantime they recommend that users consider applying their temporary Fix it solution which disables the opening of RTF content in Microsoft Word, or switch to reading emails in plain text format.

For more information on how to configure Microsoft Outlook 2003, 2007, 2010 and 2013 to read emails in plain text format, check out the following Microsoft knowledgebase articles:

This isn’t, of course, the first time that malware has been able to infect computers just by emails being read (as opposed to links being clicked on, or attachments opened).

Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread its viral code around.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

3 comments on “Just previewing an Outlook email could infect your computer. Microsoft warns of zero-day flaw”

  1. Matt

    Another notch in the coffin of a once great empire. Like Venice or Spain?

  2. Paul

    Time to check out the free & feature-packed LibreOffice. Its truly multi-platform & takes just a few minutes to install.

    Try it you have so much to gain: www.libreoffice.org/download

    Feel Thunderbird is great too.

  3. Ken Harthun

    I've been writing about security since 2004. In my "14 Golden Rules of Computer Security" series, started in 2005, Rule #6 recommended turning off preview in any email client: http://itknowledgeexchange.techtarget.com/security-corner/golden-rule-sharp-6-turn-off-message-preview-in-your-email-client/

    I'm surprised that it takes a zero-day vulnerability for Microsoft to notice and recommend the same thing.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.