Just previewing an Outlook email could infect your computer. Microsoft warns of zero-day flaw

RTFMicrosoft has warned computer users that malicious hackers are exploiting a previously unknown vulnerability in Microsoft Word, in order to infect computers with malware.

Worryingly, the zero-day attack means that users' computers can be infected simply by *previewing* a specially crafted email message in Microsoft Outlook.

In other words, it's not necessarily to actually open an malicious attachment or click on a dangerous link to put your computer in danger.

Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

Although Microsoft states that the targeted attacks it has seen so far have been directed at users of its Word 2010 product, it's clear that the remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, as well as Office for Mac 2011.

Microsoft Outlook 2007, 2010 and 2013 all use Word by default as the email reader.

Microsoft is hopefully beavering away on a proper patch, but in the meantime they recommend that users consider applying their temporary Fix it solution which disables the opening of RTF content in Microsoft Word, or switch to reading emails in plain text format.

For more information on how to configure Microsoft Outlook 2003, 2007, 2010 and 2013 to read emails in plain text format, check out the following Microsoft knowledgebase articles:

This isn't, of course, the first time that malware has been able to infect computers just by emails being read (as opposed to links being clicked on, or attachments opened).

Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread its viral code around.

Tags: , , , ,

Subscribe to the free GCHQ newsletter

, , , ,

Special offers & deals

  • Sticky Password Premium: Lifetime Subscription

    Sticky Password Premium: Lifetime Subscription

    Sticky Password protects your online identity by providing strong encrypted passwords for all your accounts, managed by a single master password known by you, and only you. Available for Mac, Windows, iOS, and Android. For a limited time, it's 80% off in our store.
  • IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    Whether you're a beginner or mid-level professional, you'll want to take this comprehensive online course, to help you attain two industry-recognised certifications. You'll master mobile hacking, VPN technologies, penetration testing, and much more--giving you the knowledge you need to succeed in any IT workplace.

More deals...

Leave a reply

3 Comments on "Just previewing an Outlook email could infect your computer. Microsoft warns of zero-day flaw"

Notify of

Sort by:   newest | oldest | most voted
March 25, 2014 3:16 pm

Another notch in the coffin of a once great empire. Like Venice or Spain?

March 26, 2014 4:08 pm

Time to check out the free & feature-packed LibreOffice. Its truly multi-platform & takes just a few minutes to install.

Try it you have so much to gain: www.libreoffice.org/download

Feel Thunderbird is great too.

Ken Harthun
Ken Harthun
March 28, 2014 2:21 pm

I've been writing about security since 2004. In my "14 Golden Rules of Computer Security" series, started in 2005, Rule #6 recommended turning off preview in any email client: http://itknowledgeexchange.techtarget.com/security-corner/golden-rule-sharp-6-turn-off-message-preview-in-your-email-client/

I'm surprised that it takes a zero-day vulnerability for Microsoft to notice and recommend the same thing.