back to article It's 2014 and you can pwn a PC by opening a .RTF in Word, Outlook

Microsoft has warned its Word software is vulnerable to a newly discovered dangerous bug – which is being exploited right now in "limited, targeted attacks" in the wild. There is no patch available at this time. The flaw is triggered by opening a maliciously crafted RTF document in the Microsoft Office word processor, or …


This topic is closed for new posts.
  1. JimmyPage Silver badge

    Microsoft Word 2003, 2007, 2010, 2013

    See Icon ->

    1. Graham Marsden

      Re: Microsoft Word 2003, 2007, 2010, 2013

      Well isn't it good that I'm still using Word 97...

      1. Yet Another Anonymous coward Silver badge

        Re: Microsoft Word 2003, 2007, 2010, 2013

        Fortunately I stuck with WindowsXP and OfficeXP so I'm safe

        1. Hans 1 Silver badge

          Re: Microsoft Word 2003, 2007, 2010, 2013

          &Office97 user

          NO, no, no, no .... RTF is pretty old ... since Office 97 and 2002 are no longer supported, I guess they have the issue, however, it will simply not be patched.

    2. JeffyPoooh Silver badge

      Re: Microsoft Word 2003, 2007, 2010, 2013

      Well the good news is that OpenOffice is safe if fed a maliciously crafted .doc file.

  2. Forget It
    IT Angle

    ElReg writes:

    Microsoft Word 2003, 2007, 2010, 2013, and Office for Mac 2011 are vulnerable, according to Redmond. Microsoft Office Web Apps, Automation Services on SharePoint Server 2010 and 20103, and Outlook 2007, 2010 and 2013 when using Word as the email viewer, are also affected.

    Legacy code or what!

    Their latest Web Apps replicate a bug of Word 2003???

    Code review any one?

    1. malle-herbert Silver badge
      Big Brother

      Legacy code or what!

      Well, they DO have to keep the backdoors open for the spooks....

    2. Anonymous Coward
      Anonymous Coward

      @forget it

      They were too busy with the ribbon to actually worry about what's under the bonnet.

      1. This post has been deleted by its author

    3. Dan 55 Silver badge

      I bet if you fired up a VM with Windows 3.1 and ran WFW 2.0 the same bug would still be there...

      (But at least the UI would be better than Word 2013.)

      1. Anonymous Coward
        Anonymous Coward

        But at least the UI would be better than Word 2013.

        Lordy no! All those little buttons with tiny black and white icons of printers, floppy disks, etc?! And so buggy it crashed at least once a day (ok maybe that was Win3.1 as well)?

        Ah those GPFs...

    4. Roland6 Silver badge

      Given the age of the vulnerability, I wonder whether any one has bothered to check how non-MS products handle this maliciously crafted RTF document.

  3. Anonymous Coward
    Anonymous Coward


    What else is there...?

    1. Captain Scarlet Silver badge

      Re: FFS!

      I imagine anything that can open Legacy Documents but we all know about them.

      Just need to start worrying when exploits on plain text files start to appear.

      1. TechnicalBen Silver badge

        Re: FFS!

        They have been around for years. A text file with something about typing the "Format" of the "C:" drive to speed up your computer.

    2. Mikel

      Re: FFS!

      You don't want to know.

  4. Anonymous Coward
    Anonymous Coward

    Having a ridiculous bug like that, spread over a decade of versions is one thing..

    But it's been known by Microsoft since the end of January. It's now almost the end of March, and there's still no patch for a remote code execution vulnerability, that's potentially in the wild??

    If you ever wanted a reason to use open-source then this is it!

    1. WillbeIT

      er hemm, January?

      January what year?

    2. Tom 13

      re: known by Microsoft since the end of January.

      I'll accept it might be a difficult to patch the bug, regression test it, and still get it packaged for the March patch release. BFFS, why didn't you announce the mitigation options earlier?

  5. Anonymous Bullard
    Thumb Down

    Since 2003?

    Just goes to show that all new versions have been mostly cosmetic changes.

    1. Anonymous Coward
      Anonymous Coward

      "Just goes to show that all new versions have been mostly cosmetic changes."

      And not for the better !

      1. elDog Silver badge

        Yes, that's what I think too. However the little woman disagrees and applies more and more mascara and potions to hide the wrinkles.

        Think I'll go out looking for some new hussy (free and open and obviously without viruses, etc.)

        1. Anonymous Coward
          Anonymous Coward

          downvote for the misogynistic comments.

          1. Anonymous Coward
            Anonymous Coward

            "downvote for the misogynistic comments."

            To be fair there's no suggestion that any free open and virus-free hussy would be interested in having him!

    2. 9Rune5

      "all new versions have been mostly cosmetic changes"

      That is a bit of a stretch. RTF was never the main document format for MSWord. shows some changes to the RTF format over the years, but I don't necessarily see why you feel they should rewrite all of their code with every release. (Wouldn't that make it harder to ensure compatibility with previous versions -- something MSOffice users do have an interest in keeping?)

      1. hplasm Silver badge

        "... compatibility with previous versions..."

        MS Office- Crap yesterday, crap tomorrow. You can rely on it.

      2. the-it-slayer

        Arse to their Microsoft Word document

        Problem is... people don't know their arse to their Microsoft Word document most of the time in the home or office-scape. Especially when Word (AFAIK) conceals each document under the same icon. You'd need to understand what a file extension is to avoid opening a malicious document.

        Even worse, someone could easily send a mass *.doc/*.docx and disguise an RTF underneath as the later versions will auto detect the format?

        Oh oh.

      3. Tom 13


        I wouldn't except

        The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1. Which to me implies checking the code with all your security tools at each release. As an earlier poster noted, the absence of Word 97 or earlier versions doesn't mean the bug doesn't exist in them, only that MS haven't arsed themselves to test them. So it could be a 20+ year old bug, but it is confirmed to be at least a 13 year old bug.

        1. Rick Giles

          @Tom 13 Re: @9Rune5

          "The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1."

          MAKE HIM STOP!!!


          Oh, better now.

          People are still using Microsoft products?

  6. James 100

    Support ends...

    "Mainstream" support for Office 2003 ended back in 2009 - and "extended" support for it ends early next month. I wonder how many installations of this won't get patched, particularly if this issue doesn't get patched by next month's cut-off? 2007 is out of "mainstream" support too, and I'm sure it's far from extinct out there - and probably far from currently patched...

    1. king of foo

      Re: Support ends...


      We only "upgraded" to 2007 just before Xmas. It was installed "vanilla" (no sp). Our I.T. team don't like updates. At all. I mean ANY updates for ANY software. Now whenever I have a meeting with our road warriors I make them fire up windows update before we get started

  7. veti Silver badge

    Incorrect MIME type

    How long (oh Lord) have we been telling Microsoft *not* to couple Word with Outlook? I know I told them, circa 1998, that it was a bad idea.

    It still is.

    1. Roland6 Silver badge

      Re: Incorrect MIME type

      Don't know about coupling Word with Outlook, but the insecurity of the Outlook preview mode has been known about since Outlook 97/98...

  8. Muscleguy Silver badge


    Office 2004 for Mac no longer runs under 10.7 after the upgrade from 10.6. Libre Office is now useable even if it does still take far too long to load, so no point in paying for the upgrade.

    I have warned the rest of the family wife uses PC's and kids might well run various versions at home and at work.

    Oh and I'm reminded why I never liked Outlook so never more than glanced at it, let alone set it up. Thunderbird does just fine and dandy.

  9. Will Godfrey Silver badge

    Recycled plastic - good

    Recycled code - bad

    1. Anonymous Coward
      Anonymous Coward

      Recycled code - bad ?

      Recycled trustworthy code - doubleplus good

    2. h4rm0ny

      "Recycled code - bad"

      Code re-use is pretty standard practice, actually. No-one is going to re-write every part of a very large software project each time an iterative version is released, especially the legacy parts. If you did that you'd (a) never release a new version and (b) introduce more bugs with each version than you would otherwise.

      1. Anonymous Bullard

        But 10+ year old code is dragging it out a bit. At least review it, especially since it loads external data.

        I suspect the original coder is long gone, and it's spaghetti code that no one dares touch.

        1. Will Godfrey Silver badge

          This actually come closer to what I was thinking. Also I have known occasions where re-use of 'good' code has been a disaster because the new dev didn't properly understand it and tried to use it as-is.

          I know this to be true cos it wos me!

          1. Tom 13

            @Will Godfrey

            I know this to be true cos it wos me!

            And there's the difference between you and MS. MS would never admit that in public.

        2. h4rm0ny

          >>"But 10+ year old code is dragging it out a bit. At least review it, especially since it loads external data."

          By that logic parts of the PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux. It loads external data and its over ten years old. Point is that the OP I replied to said re-using code was bad. That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out.

          OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP.

          1. Anonymous Coward
            Anonymous Coward

            "That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out."

            I don't think it's been suggested to re-write all code for every iteration. (Why do you people bicker back with edge cases and extreme counter-arguments?)

            I have written code, and it's been running for years. It doesn't get touched, it does what it's supposed to do. I've also written shitty code where I feel sorry for the next person to maintain. I've also been on the receiving end of shit code.

            But don't you do code reviews, especially on code that already had similar issues? Or are you the type to leave code well alone once it's proven to work?

            When you have code in high-risk areas, running on the vast majority of desktops over the world, and you're getting an obscene amount of money for it - it's more of a case of responsibility.

            I'd love to know if a code analysis tool would have picked this bug up, or if a second glance at the function would spot something... but I guess we'll never know.

            1. h4rm0ny

              >>"I don't think it's been suggested to re-write all code for every iteration. "

              OP wrote "Code re-cycling is bad". Other than an accompanying sentence saying that "plastic recycling is good", that was the sum total of their post. I responded pointing out that code re-use is standard practice and attempting to re-write everything would introduce more bugs.

              Then you argued with me.

          2. Anonymous Coward
            Anonymous Coward

            >> PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux

            A pathetic example! That code (and any updates to it) can be reviewed by anyone, and it's not dealing with data directly from the Internet - ie, in emails.

            Old code should be reviewed, every so often. The security landscape has changed a lot in the past decade.

          3. Anonymous Bullard

            "OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP."

            Sorry, I was just trying to add something to the discussion regarding reviewing old code... I'm not here to gain credibility, or score points.

        3. Chika

          Good code is good code, no matter how old it is. The term "bit rot" was debunked a long time ago. The trouble is that good code isn't that easy to come by.

          Or if you prefer, there's the old adage that I recall from my programming days - there's no such thing as a finished product; just one that's in a high state of debug. :)

          1. Anonymous Coward
            Anonymous Coward

            "Bit rot"

            "The term "bit rot" was debunked a long time ago".

            I think you'll find that "bit rot" was humorous shorthand for the well-known problems that arise when an originally crisp, efficient system is gradually patched and "enhanced" year after year. It's the programmer's version of what Verity Stob calls "cruft" from the end-user POV.

          2. Rick Giles

            @Chika Bit Rot

            Bit Rot is still valid, but not for code. It is however prevelant at the hardware level in lots of cheaply made ROMs and CDs. I have an Atari 5200 that has suffered from it.

      2. Rick Giles

        @h4rm0ny "Recycled code - bad"

        If they are just going to put a new polish on the same old turd, then why FFS do people go out and get the "newest" one?

        Everyone needs to stop buying the "new" crap to make a point.

        I know, I know... Good luck with that.

        I've done my part... See icon -->

  10. All names Taken
    Paris Hilton


    I don't think it is a bug - more of an oversight.

    The root of the issue seems to be the time when Ms thought that t'internet would be a great way to do systems management on Windows PCs remotely and all that IE6 development stuff that so many organisations and (ActiveX?) are still snagged into?

  11. Rob Carriere

    I've always thought Rich Text Format was misnamed.

    It should have been Windows Text Format.

    1. Stephen Channell

      The RTF file format predates Windows, and was included in Word for compatibility with the leading packages of the early eighties'

      safe to bet that every version of word (right back to the Unix original) is affected

      1. Nick Ryan Silver badge

        RTF is a Microsoft format created by Microsoft, for Microsoft. I believe it was introduced at some point between the Mac and DOS versions to allow them to actually exchange files as the .doc format was (surprise surprise) a bastardised binary stream mess that was changed as regularly as possible and in insane ways to ensure that competing packages couldn't use .doc files properly (and when they make a mess of them, they get the blame).

        1. Rob Carriere

          I'm aware of the history of at least two file formats called RTF, both going back several decades. In this case, I was doing simple acronym punnery.

          1. Tom 13

            OK, some days we're a little slow. Although I will say that for proper punnery, no explanation should be required (or point to it which is just about the same thing).

            1. Rob Carriere

              Oh, I agree. Some days you're a little slow, you say. Well, some days, I pun poorly. So there. 'Tis the nature of me, especially before the coffee...

        2. Stephen Channell

          two roles for RTF

          Back in the early '80s IBM had a very brief leadership of PC word processing with DisplayWrite before being eclipsed by WordStar (ported from CP/M), WordPerfect (ported from Wang), MS Word (ported from Xenix). DisplayWrite was developed in a PC emulator running on MVS... was slow, memory intensive with a blockey UI, and larger files due to RTF, which was text based for transfer to/from S/370,S/36,S/38 versions which used EBCDIC instead of ASCII. RTF support in WordPerfect & Word started out as IBM compatibility.

          For Microsoft RTF was a surprise saviour because it was the only way to share files between Word for DOS and MacWord which had incompatible.DOC formats due to big/little endian differences between 8086 & 68000.

          IBM lost interest in RTF, because it had a better idea with GML (which it standardised & some contractor @CERN copied for his web-thing).

          MS wrote-up the spec because mail-merge used to be a separate program, and is still used in document generators.

    2. veti Silver badge

      Shirley you mean...

      'Microsoft Text Format'?

  12. 0_Flybert_0

    .. StarOffice > OpenOffice > LibreOffice = NoProblemo ..

    1. Roland6 Silver badge

      Re: StarOffice > OpenOffice > LibreOffice = NoProblemo

      Seriously, I would be interested in the evidence to support this statement ... Remember the bug is a "maliciously crafted RTF document", which would seem to suggest the file/document contains valid RTF, just used in an 'interesting' way...

  13. J.G.Harston Silver badge

    I've said it before and I'll say it again. WTF does a document format have to have executable capability?

    1. vagabondo

      executable document formats

      lower spam/malware bandwidth. No need for attachments with names like "Very Important Document.doc.exe" -- saves three bytes.

    2. Yet Another Anonymous coward Silver badge

      This is the company that created a vector graphic format that you could embed executable commands in - as a "feature"

      1. Not That Andrew

        And a video file format designed to contain executable content. Although in the case of AVI it made some sense as it was explicitly designed as a general-purpose multimedia container. Or was that post-rationalisation?

    3. 9Rune5

      "executable capability" what are you on about..?

      The vulnerability sounded more like a run-of-the-mill buffer overflow type thing? (In which case DEP, ASLR should mitigate the situation some, and elevation requirements should help keep admins from letting this pwn the entire box)

    4. Phil O'Sophical Silver badge

      WTF does a document format have to have executable capability?

      Has anyone suggested that it does, or that this is where the problem lies? Most bugs like this work by corrupting the code of the tool that is processing them, for example by overflowing internal buffers with data whose length is incorrectly declared. The file just contains data which happens to mean something to the CPU, it's the buggy utility that is tricked into executing it.

      1. Nick Ryan Silver badge

        RTF allows embedding of images and Microsoft regularly get their image parsers broken allowing embedded code execution. Most likely it is this rather than the parsing of text as executable code needs to be stored and a binary (ish) image blob is ideal for this.

    5. Anonymous Coward
      Anonymous Coward


      What is this "WTF" of which you speak? Is it yet another confusing Microsoft text format? Maybe "Whizz-Bang Text Format" or "Wacky Text Format".

  14. John Smith 19 Gold badge

    Apparently RTF first shipped in 1987 with Word for Mac 3.0.

    And has never supported macros.

    Wonder how far back this bug goes....

  15. Michael H.F. Wilkinson Silver badge

    And people wonder why I use LaTeX. Not for everybody, I know, but it works for me.

    1. Rob Carriere

      I love LaTeX and use it a lot, but...

      TeX is a programming language. .tex files, including LaTeX ones, are executable content. If you blindly process a .tex I send you, I can read from and write to everywhere in the file system you have access.

  16. RyokuMas Silver badge

    It's 2014...

    ... and el Reg appear to be using a script to generate headlines about Windows vulnerabilities.

    I'm tolerant. I can deal with the fact that this might not have been spotted in the mound of code-upon-code that probably underpins Word by now (I know all to well that greenfields projects just don't happen).

    ... but to have known about something this serious for over a month and not done anything? Poor show.

  17. RonWheeler


    Curious to know what the year has to do with it other than a cheap dig?

    It is 2014 and there are plenty of Android exploits out there too, but it isn't deemed worthy of hack journalist cheap shots like this.

    1. Mikel

      Re: 2014

      Trustworthy Computing. 2002. Guess who.

      If you can't figure out how to safely parse a text file in your own proprietary format in 12 years it is time to give up.

  18. Anonymous Coward
    Anonymous Coward

    Please Reg keep your technical standards

    This vulnerability by itself does not allow you to "own" a machine. This allows for arbitrary code execution inside user space, which can't by itself "own" a machine unless combined with a privilege escalation. Which is not very difficult these days with grandma saying "Yes" to annoying prompt dialogs.

    But the vulnerability by itself does not allow you to own a PC.

    1. Joseph Lord

      Re: Please Reg keep your technical standards

      No they don't "own" the machine without further steps (privilege escalation exploit or social engineering to get admin password). The can however access all your data, log web browsing and keystrokes so that they can get at your bank account (e.g. install browser plugin that performs MITM attack while you login).

    2. Mikel

      Re: Please Reg keep your technical standards

      It is the remote executable that allows you to run the privilege escalation and install the rootkit. Privilege escalation kits are a dime a dozen. Without a remote executable the gate is locked. So yes, this is what allows a machine to be owned.

      1. Anonymous Coward
        Anonymous Coward

        Re: Please Reg keep your technical standards

        Brilliant example of "security expert" speak. Privilege escalation kits different from popping up a dialog asking for admin rights are NOT "a dime a dozen" In fact, if you have lots of them there is a very profitable market where you'll be handsomely paid, so you should be right now making yourself rich instead of trolling forums. Which you are not.

        Plus, if they were "a dime a dozen" MS would be at least issuing patches for some of them.

        Go to scare crowds elsewhere.

  19. Spoobistle

    Is Wordpad affected?

    Anybody know if Wordpad is vulnerable? I use this rather than Word for .rtf files as it is a bit quicker and less clumsy for some tasks.

  20. David Goadby

    Testing or Polishing?

    I produce control systems for a living. I have systems all over the world so support costs me money. I spend far more time on testing than polishing the UI's. My customers appreciate it and I get less support calls.

    Microsoft are too worried about their image and ratings to care about the bugs they regularly ship to us. Imagine a programmer saying to the pre-release team "I have found an obscure bug". With the press briefed and the glossy advertising booked there would be no stopping the release. It would then be forgotten.

    We, the customers, are Microsoft's largest debug team. And we don't' even get a discount!

    Even the purchase of Nokia shows poor thinking. The deal is not yet done and Nokia announce a phone that runs Android! Go figure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Testing or Polishing?

      "We, the customers, are Microsoft's largest debug team. And we don't' even get a discount!"

      I couldn't agree more. The thing of it is, Microsoft has just followed the rules of the legal and economic system with which it has to comply. Precisely because its products have such large user bases, the great majority have no idea of security or decent quality. Rather, they are swayed by shiny UI features.

      If we want better behaviour from vendors, we need to adjust the legal and economic system. While we're at it, we could perhaps do something to prevent banksters from making fortunes with no downside and at no risk to themselves, by exploiting laws that they paid for (and in most cases, actually wrote themselves because the politicians don't begin to understand such a difficult subject).

      Or, if you want to live in a blue sky ivory castle and dream dreams, we could improve our educational system so that, as today's young people become adults, they will no longer be susceptible to such trickery. But now I'm raving - it could never happen.

      1. NogginTheNog

        Re: Testing or Polishing?

        This is the fundamental problem with all software: it's released half finished!

        The next time I'm installing ANOTHER Windows patch, update for an Adobe product, or Java, instead of the bullshit about how many machines it runs on, just for once I'd like to see an APOLOGY for the fact that I'm only having to install this update because they screwed up and left a security hole in their product that may just cost someone their bank contents.

        1. Stevie Silver badge

          Re: Testing or Polishing?

          Spot on, but I would also like to see an end to those doubly annoying "re-agreement to the license" windows.

          Nothing makes me madder than to have Adobe yell at me to update this or that plugin, then confront me with a window full of Lawyer Gibberish and force me to check the box to activate the button that I must click to get on with what *they* were begging me to do only five minute before.

        2. A J Stiles

          Re: Testing or Polishing?

          This is the fundamental problem with all software: it's released half finished!
          Indeed. Half of all half-finished software is secure underneath but takes a conscious effort of will to learn how to use. The other half of all half-finished software is easy to use, even easier to use badly -- and thoroughly insecure underneath.

    2. Mikel

      Re: Testing or Polishing?

      You produce control systems. On Windows. And you think they are the only fail here? Did you consider your responsibility to your customers when you made that choice?

  21. Matthew 25

    Interesting inclusion

    ...'and Office for Mac 2011 are vulnerable,'


    1. Kaltern Silver badge

      Re: Interesting inclusion

      It could be Office for AmigaOS.. or Office for ZX Spectrum.... if the code is the same, then the vulnerability could be the same*.

      * hypothetical, but probably impossible due to the memory limitation.... :P

  22. Anonymous Coward
    Anonymous Coward

    Why can't I see the letters RTF

    without mentally adding an M at the end?

  23. Roland6 Silver badge

    Enhanced Mitigation Experience Toolkit

    Reading the MS stuff on this (via the article link) I'm left wondering why MS didn't just release this as a Windows security update. Certainly it seems to add some rather useful security features that by implication MS have deliberately omitted from: XP, Vista, 7, 8 & 8.1 !!!!

  24. Change can be good

    Check out LibreOffice

    Time to take the free, safe, secure & feature-packed LibreOffice for a spin. Its truly multi-platform & takes just a few minutes to install.

    Try it you have so much to gain:

  25. JLV Silver badge

    Buggy software can happen, but...

    I know we are all making fun of MS here for having a bug in RTF rendering since Office 2003.

    It is a cautionary reminder that user-entered data needs to be assessed very carefully before processing. The MS team that let this slip didn't exactly cover themselves with glory, but 700 monkeys poking 700 sticks at 700 apps will occasionally hit paydirt.

    The Office vulnerability is NOT what is scary and in addition, the important bits are NOT being reported here and they are not reported in the CVE either.

    What operating systems are at risk? From the lack of forthcoming information from MS I would guess even Windows 7 and 8 would be.

    Why is it that a regrettable, but not entirely unexpected condition in a bit of non-system software, in this case rendering an RTF, manages to get a user to own a modern operating system?

    I am betting that, if Open Office had a similar bug, it could not infect Windows itself because the system would not be tightly coupled to it and would have a suitably hands off relationship. Why does MS insist on allowing tight integration between its user apps and the OS? For performance reasons on multi-core systems?

    Why isn't UAC more robust? Linux and even Mac users can apparently deal with the boundless complexities of sudo and admin user approval (and password) prompts, so why doesn't MS get off its fat rear end and implement appropriate isolation between userland and system integrity?

    No, all this would not prevent clueless users from happily providing their credentials when offered riches from Nigerian princes or offered a free AV scan. But it would protect the other 95% of us.

    And, yes, I include myself because I have to use Windows for work but know better for personal use.

    p.s. Windows 8 security in 2014? password limited to 16 chars. Good job, MS! Horse Battery Staples not included.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019