A new vulnerability in Word was discovered and patched by Microsoft earlier this month. Again, the source was an RTF (Rich Text Format) document.
There’s still a widespread myth that RTF files are ‘safe’ supposedly because RTF’s can’t contain macros. That’s FALSE.
.RTF documents aren’t designed to accept code, they are hacked in many, many ways. Those hacks trick programs – mostly Microsoft Word – into running code to infect or control your computer.
See Are RTF documents risky? and Moving away from RTF away from Word
This latest hack was happening in the real world, not a theoretical problem.
The latest RTF security bug
This latest security bug, discovered by FireEye, is just the latest example of RTF’s being used to take advantage of a security lapse by Microsoft.
The hackers found a security hole in the ‘WDSL parser’ which takes a document and splits it into workable chunks. The parsehas a function IsValidUrl which should check that a link is OK. Hackers discovered that adding more CRLF symbols to the link would fool the WDSL parser into running the nasty code. Ouch.
It’s not the RTF document to blame, it’s Microsoft.
Using this new technique, the hackers are able to infect a computer using a known technique called ‘FINSPY’.
