Worryingly, the zero-day attack means that users’ computers can be infected simply by *previewing* a specially crafted email message in Microsoft Outlook.
In other words, it’s not necessarily to actually open an malicious attachment or click on a dangerous link to put your computer in danger.
Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
Although Microsoft states that the targeted attacks it has seen so far have been directed at users of its Word 2010 product, it’s clear that the remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, as well as Office for Mac 2011.
Microsoft Outlook 2007, 2010 and 2013 all use Word by default as the email reader.
Microsoft is hopefully beavering away on a proper patch, but in the meantime they recommend that users consider applying their temporary Fix it solution which disables the opening of RTF content in Microsoft Word, or switch to reading emails in plain text format.
For more information on how to configure Microsoft Outlook 2003, 2007, 2010 and 2013 to read emails in plain text format, check out the following Microsoft knowledgebase articles:
- How to view all e-mail messages in plain text format (Office 2003, 2007 and 2010)
- How to read email messages in plain text (Office 2013)
This isn’t, of course, the first time that malware has been able to infect computers just by emails being read (as opposed to links being clicked on, or attachments opened).
Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread its viral code around.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.