[Updated] Cybercriminals Actively Exploiting 0-Day Vulnerability in Microsoft Word
Update 4/8/14 : Microsoft has released a security update that addresses this bug. Download & install the patch using Windows Update.
Microsoft is alerting the public about a 0-day vulnerability in Microsoft Word that’s actively being exploited in-the-wild.
The attacks seen so far have been limited and target Word 2010, but the vulnerability exists in other versions of Word.
Microsoft warns that the flaw could allow an attacker to execute arbitrary code if the victim opens a specially crafted RTF file using an affected version of Microsoft Word, or previews/opens a specially crafted RTF message in Microsoft Outlook while using Microsoft Word as the email viewer.
Note: Microsoft Word is the default email reader in Microsoft Outlook 2007, Microsoft Outlook 2010 and Microsoft Outlook 2013.
Software Affected by the 0-Day Flaw
Users that are running the following software on their PC should take precautionary steps to keep their system safe:
- Microsoft Word 2003 SP3
- Microsoft Word 2007 SP3
- Microsoft Word 2010 SP1 and SP2 (32-bit)
- Microsoft Word 2010 SP1 and SP2 (64-bit)
- Microsoft Word 2013 (32 & 64-bit)
- Microsoft Word 2013 RT
- Microsoft Word Viewer
- Microsoft Office Compatibility Pack SP3
- Microsoft Office for Mac 2011
- Word Automation Services on Microsoft SharePoint Server 2010 (SP1 & SP2)
- Word Automation Services on Microsoft SharePoint Server 2013
- Microsoft Office Web Apps 2010 SP1 and SP2
- Microsoft Web Apps Server 2013
How to Protect Your PC
To keep their system safe, Microsoft is advising users to download and install the security update that patches this bug via Windows Update (see Microsoft Security Bulletin MS14-017 for details).