Nasty RTFs Nudge Word Into Submission

Severity: High


  • These vulnerabilities affect: Word (and Office) 2003 through 2010 for Windows (and related components)
  • How an attacker exploits it: By enticing one of your users to open a malicious RTF document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s Word update as soon as possible, or let Microsoft’s automatic update do it for you


As part of today’s Patch Day, Microsoft released a security bulletin describing a serious security vulnerability in the Windows version of Word — part of Microsoft Office package. The flaw doesn’t affect the Mac versions, but does affect the Word viewer and Office Compatibility Packs.

The vulnerability stems from an unspecified memory corruption fkaw having to do with how Word handles rich text format (RTF) documents. If an attacker can entice one of your users into downloading and opening a maliciously crafted RTF document, he can exploit the flaw to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Word and Office updates to correct these vulnerabilities. If you use Office or Word, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Word bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a signature, which detects and blocks this Word RTF vulnerability:

  • EXPLOIT Microsoft Word RTF listoverridecount Remote Code Execution Vulnerability (CVE-2012-2539)

Your appliance should get this new IPS update shortly.

You can also configure WatchGuard devices to block RTF documents. However, this will block all RTFs, whether legitimate or malicious. If you decide you want to block them, the links below contain instructions that will help you configure proxy’s content blocking features for your device:


Microsoft has released Word updates to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

4 Responses to “Nasty RTFs Nudge Word Into Submission”

  1. Hi, yes this article is truly good and I have learned lot of things
    from it concerning blogging. thanks.


  1. Nasty RTFs Nudge Word Into Submission « microreksa - December 11, 2012

    […] Nasty RTFs Nudge Word Into Submission […]

  2. WatchGuard Security Week in Review: Episode 44 – Ar.Drone Virus | WatchGuard Security Center - December 14, 2012

    […] MS Word update – WGSC […]

  3. WatchGuard Security Week in Review: Episode 44 – Ar.Drone Virus « microreksa - December 16, 2012

    […] MS Word update – WGSC […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 8,238 other followers

%d bloggers like this: