What the RTF? Mac and Windows users at risk from boobytrapped documents

RTFIn the mid-1990s, the emergence of Word macro viruses – capable of infecting both Windows PCs and Apple Macs via Word documents – it was common practice to recommend users avoid sharing .DOC files and use Rich Text Format (.RTF) files instead.

The reasoning was that Rich Text Format didn’t support the macro language that Microsoft had embedded inside .DOC files, and so it was a much safer way to share information in the office.

The latest batch of security bulletins issued by Microsoft, however, underline the importance of not thinking that any security advice should be written permanently in stone.

Microsoft has warned Windows and Mac users that they could be at risk from boobytrapped RTF files if they leave their copies of Microsoft Office unpatched:

Sign up to our free newsletter.
Security news, advice, and tips.

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In shorthand that means a malicious attacker could send you a poisoned RTF file, and the simple act of you opening it in MS Word on a Windows or Mac computer could allow them to run malicious code. Potentially, for instance, they could open a backdoor that could allow them to gain remote access to your files or install further malware.

Nasty.

And don’t be fooled into thinking this is the only threat related to RTF files. For instance, back in November 2010, a stack buffer overflow vulnerability (CVE-2010-3333) was patched by Microsoft. Despite a fix being available since then, we still see it being regularly exploited by cybercriminals.

Here’s a podcast where Naked Security’s Chet Wisniewski interviews SophosLabs expert Paul Baccas about how cybercriminals manipulate RTF files:

If you’re an Apple Mac user, then it’s important for you to know that Office 2008 and 2011 for Mac are at risk from the most recently announced vulnerability. You can either use the program’s auto-updater to download the required security updates, or download the Microsoft Office 2008 for Mac 12.3.3 Update or Microsoft Office 2011 14.2.2 Update directly from Microsoft.

Updating Word for Mac

Note that if you rely solely upon the Software Update feature built into Mac OS X it will not update the Microsoft product.

With the current interest being shown by cybercriminals in infecting Macs, it would be extremely sensible for all users of Microsoft Office on the Mac to update their systems as a matter of priority.

PC users, meanwhile, should be aware that all editions of Word 2003, Microsoft Office 2007 ad Microsoft Compatibility Pack are affected by the vulnerability. Fixes for Windows users can be automatically downloaded via Microsoft Update or directly from Microsoft’s website.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.