Microsoft releases monthly patches for its software to fix bugs and keep bad guys from gaining access to your computer. This month’s update has an important patch for Office that fixes vulnerabilities that could let malicious hackers execute code by infiltrating your rich text files.
MS16-054 resolves four vulnerabilities in Microsoft Office. An attacker who exploits the vulnerabilities could run arbitrary code in the context of the current user. However, users whose accounts have fewer rights could be less impacted than users with administrative rights. There are two vulnerabilities that are in the rich text format (RTF), which can be triggered through the Outlook preview pane without users actually having to open that attachment.
“[RTF] is a little bit difficult to defend because there are a lot of permutations and combinations you have to go through to thoroughly test it,” said Amol Sarwate, director of engineering at Qualys. “RTF vulnerabilities have been attacked [for] 10 years now. It’s a little bit difficult to comprehend that we still see it.”
RTF is vulnerable due to the combination of legacy features that must be supported and new features that have been added, Sarwarte said. There is also a prevalence of Windows and RTF files on the Internet that make it a high target for attackers, he added.