Are RTF files risky?


Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

A few readers asked why .RTF email attachments are considered a security risk?

The confusion is understandable.  After all .RTF (Rich Text Format) files aren’t designed to carry any computer code that can be run to start a virus infection.  So they would seem to be ‘safe’ from virus infection.

Sadly, that doesn’t stop hackers using RTF’s maliciously.

RTF documents can still be used to compromise a computer. Over the years there’s been various instances where hacked RTF files have been used to run malicious code when the RTF file has been opened with Word.

In other words, hackers take advantage of security lapses in Word that are available when RTF files are opened.

In 2014 Microsoft took the step of recommending RTF’s be blocked as email attachments and provided a tool to do that.

Now we have .docx files that are both more secure and smaller (they are compressed by default) so .rtf files are less commonly used.

There have been similar situations with ZIP files which officially can’t run code. ZIP’s can be hacked to do so, which is why .zip files are often used by hackers in their emails.

Be wary of incoming documents in either .DOC or .RTF format as well as .ZIP attachments.

When sending out documents, the polite and security aware option is the Office 2007 and later document formats – .docx  .xlsx or .pptx

subs profile e1563205311409 - Are RTF files risky?
Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address