New MS Word Zero-day vulnerability for RTF-files

NikKNikK Posts: 935 Rock Star

Microsoft has discovered a new critical vulnerability in Word that is being used in attacks. And because newer Outlook version uses Word as its default email viewer, you don't even have to open a RTF document to get infected. It's enough if you receive a specially crafted email and you have the preview function turned on.

"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user"

https://technet.microsoft.com/en-us/security/advisory/2953095

 

There is no permanent fix yet, only workarounds:

I've read that other AV's can detect this already. Can F-Secure detect and block this?

Accepted Answer

Comments

  • JohannesLJohannesL Posts: 43 Former F-Secure Employee

    Hi, NikK!

     

    Thank you for the information that you have provided us.

    Cant answer directly answer if F-Secure is blocking it at the moment but we will find out and get you an answer as soon as possible.

     

    Thanks!

  • UkkoUkko Posts: 3,189 Superuser

    Possibly it's already and must be detected, just because:

     

     - behavior-detect (like can be with general descriptions for various exploits or words exploits; or simply for some of "examples") for certainly .rtf-file and can be without right connect with "current exploit";

     

     - behavior-detect for another points - like if it's zip-archive or something another - can be gerenal detect for any reasons and can be like trojan-deteted or something other "general" not about "current exploit";

     

     - detect for known samples of current exploit  (here can be any samples about exploit for Microsoft Word 2010; but probably that "signature"-description can be actual for later/previously versions too - and it's mean will be already "behavior-detect" for another files);

     

     

    Anyway, I think that if user will be meet something "fresh" about that exploit - F-Secure can not to detect or help - if user already open/launch that, but F-Secure give a lot of layers before for any ways against "attacks" - e-mail protection (if it's will be as attach-file - where user can be carefull in all situation), browser protection (if it's will be any website with exploit for browser, which give current exploit for word or other hard/easy steps); signature-based (if it's will be already "outdate" exampe of exploit rtf-file) and etc. With "carefull" by user - it's can to help in "good" protection.

    Also probably can be a lot of false positive.

     

    But interesting will be information not just about "detect/block this already" - also will be interesting about "what can to do F-Secure - if it was not known sample/variant and system already with effect by that exploit?";

    "Or it's not so hard to detect all variants of that exploit" always?

  • LakshLaksh Posts: 4,443 Community Manager

    Hi Nikk,

     

    As I mentioned in the other post (http://community.f-secure.com/t5/Security/Vulnerability-info-not-updated/m-p/47939/highlight/false#M8780), F-Secure have the detection for the exploit now as below:

    Aquarius: Exploit.CVE-2014-1761.A
    Hydra: Exploit:W32/CVE-2014-1761.A

    Hydra 2014-04-04_02 and Aquarius 2014-04-03_03 contains the detection for the exploit. At the same time, our DeepGuard5 was able to block this exploit even before the databases above has been released. For more information, as Ukko as mentioned above, please visit our Weblog: http://www.f-secure.com/weblog/archives/00002691.html

     

    Thanks.

This discussion has been closed.