Microsoft releases patch for Zero Day flaw in Office and Wordpad

Microsoft released the patch for zero-day vulnerability in the Office productivity suite and WordPad in this month’s Patch Tuesday cycle. If unaddressed, the vulnerability would have allowed attackers to infect systems with malware using a compromised RTF document.

Details of this security vulnerability were published online early this week with Microsoft acknowledging the problem and promising a security patch fix as soon as possible. They also recommended users to avoid opening RTF documents coming from un-trusted sources until a patch has been deployed.

“A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says.

The company has also explained how the patch fixes the vulnerability, also adding that in most of the cases, the email with the compromised RTF document is delivered via email to potential targets.

“The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue,” the company adds.

It is recommended that users deploy this patch immediately to avoid being attacked especially given the fact that it is a zero-day vulnerability and the details have already been published online.

In the event immediate patching is not yet available, users are recommended to avoid opening RTF documents from sources which are not trustworthy or other applications that can handle this format and are not affected by this vulnerability.

(source)