New MS Word Zero-day vulnerability for RTF-files
Microsoft has discovered a new critical vulnerability in Word that is being used in attacks. And because newer Outlook version uses Word as its default email viewer, you don't even have to open a RTF document to get infected. It's enough if you receive a specially crafted email and you have the preview function turned on.
"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user"
https://technet.microsoft.com/en-us/security/advisory/2953095
There is no permanent fix yet, only workarounds:
- A FixIt to disable Word to open RTF-files: https://support.microsoft.com/kb/2953095
- Open emails as plain text: http://support.microsoft.com/kb/307594
- Using the MS Exploit blocker EMET: http://microsoft.com/emet
I've read that other AV's can detect this already. Can F-Secure detect and block this?
Comments
-
Possibly it's already and must be detected, just because:
- behavior-detect (like can be with general descriptions for various exploits or words exploits; or simply for some of "examples") for certainly .rtf-file and can be without right connect with "current exploit";
- behavior-detect for another points - like if it's zip-archive or something another - can be gerenal detect for any reasons and can be like trojan-deteted or something other "general" not about "current exploit";
- detect for known samples of current exploit (here can be any samples about exploit for Microsoft Word 2010; but probably that "signature"-description can be actual for later/previously versions too - and it's mean will be already "behavior-detect" for another files);
Anyway, I think that if user will be meet something "fresh" about that exploit - F-Secure can not to detect or help - if user already open/launch that, but F-Secure give a lot of layers before for any ways against "attacks" - e-mail protection (if it's will be as attach-file - where user can be carefull in all situation), browser protection (if it's will be any website with exploit for browser, which give current exploit for word or other hard/easy steps); signature-based (if it's will be already "outdate" exampe of exploit rtf-file) and etc. With "carefull" by user - it's can to help in "good" protection.
Also probably can be a lot of false positive.
But interesting will be information not just about "detect/block this already" - also will be interesting about "what can to do F-Secure - if it was not known sample/variant and system already with effect by that exploit?";
"Or it's not so hard to detect all variants of that exploit" always?
-
http://www.f-secure.com/weblog/archives/00002691.html
Related information by DeepGuard.
Also can be aditional to http://community.f-secure.com/t5/Security/Vulnerability-info-not-updated/td-p/47827
-
Hi Nikk,
As I mentioned in the other post (http://community.f-secure.com/t5/Security/Vulnerability-info-not-updated/m-p/47939/highlight/false#M8780), F-Secure have the detection for the exploit now as below:
Aquarius: Exploit.CVE-2014-1761.A
Hydra: Exploit:W32/CVE-2014-1761.A
Hydra 2014-04-04_02 and Aquarius 2014-04-03_03 contains the detection for the exploit. At the same time, our DeepGuard5 was able to block this exploit even before the databases above has been released. For more information, as Ukko as mentioned above, please visit our Weblog: http://www.f-secure.com/weblog/archives/00002691.htmlThanks.
-
Hi Nikk,
Please find detailed information given here:
http://www.f-secure.com/en/web/labs_global/vulnerability/cve-2014-1761