Just previewing an Outlook email could infect your computer. Microsoft warns of zero-day flaw

Graham Cluley

RTFMicrosoft has warned computer users that malicious hackers are exploiting a previously unknown vulnerability in Microsoft Word, in order to infect computers with malware.

Worryingly, the zero-day attack means that users’ computers can be infected simply by *previewing* a specially crafted email message in Microsoft Outlook.

In other words, it’s not necessarily to actually open an malicious attachment or click on a dangerous link to put your computer in danger.

Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

Although Microsoft states that the targeted attacks it has seen so far have been directed at users of its Word 2010 product, it’s clear that the remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, as well as Office for Mac 2011.

Microsoft Outlook 2007, 2010 and 2013 all use Word by default as the email reader.

Microsoft is hopefully beavering away on a proper patch, but in the meantime they recommend that users consider applying their temporary Fix it solution which disables the opening of RTF content in Microsoft Word, or switch to reading emails in plain text format.

For more information on how to configure Microsoft Outlook 2003, 2007, 2010 and 2013 to read emails in plain text format, check out the following Microsoft knowledgebase articles:

This isn’t, of course, the first time that malware has been able to infect computers just by emails being read (as opposed to links being clicked on, or attachments opened).

Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread its viral code around.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Just previewing an Outlook email could infect your computer. Microsoft warns of zero-day flaw”

  1. Time to check out the free & feature-packed LibreOffice. Its truly multi-platform & takes just a few minutes to install.

    Try it you have so much to gain: www.libreoffice.org/download

    Feel Thunderbird is great too.

  2. I've been writing about security since 2004. In my "14 Golden Rules of Computer Security" series, started in 2005, Rule #6 recommended turning off preview in any email client: http://itknowledgeexchange.techtarget.com/security-corner/golden-rule-sharp-6-turn-off-message-preview-in-your-email-client/

    I'm surprised that it takes a zero-day vulnerability for Microsoft to notice and recommend the same thing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.