20140328 - Microsoft warns of zero-day flaw - Just previewing an Outlook email could infect your computer.
Microsoft has warned computer users that malicious hackers are exploiting a previously unknown vulnerability in Microsoft Word, in order to infect computers with malware.
Worryingly, the zero-day attack means that users’ computers can be infected simply by *previewing* a specially crafted email message in Microsoft Outlook.
In other words, it’s not necessarily to actually open an malicious attachment or click on a dangerous link to put your computer in danger.
Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
Although Microsoft states that the targeted attacks it has seen so far have been directed at users of its Word 2010 product, it’s clear that the remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, as well as Office for Mac 2011.
Microsoft Outlook 2007, 2010 and 2013 all use Word by default as the email reader.
Microsoft is hopefully working away on a proper patch, but in the meantime they recommend that users consider applying their temporary Fix it solution which disables the opening of RTF content in Microsoft Word, or switch to reading emails in plain text format.
For more information on how to configure Microsoft Outlook 2003, 2007, 2010 and 2013 to read emails in plain text format, check out the following Microsoft knowledgebase articles:
- How to view all e-mail messages in plain text format (Office 2003, 2007 and 2010)
- How to read email messages in plain text (Office 2013)
To help minimize this risk to our users, we have temporarily added RTF files to the list of "Dangerous File Attachments". This will cause e-mails containing RTF files to be quarantined for those users that have Attachment Type Filtering enabled in their account.
Update: 2014/06/26
Given that Microsoft has released a patch to address this vulnerability, and sufficient time has passed to allow virtually anyone using the vulnerable software to apply the patch, we have removed RTF files from the list of "Dangerous File Attachments". If you have not yet applied the updates in MS14-017, please do so now!
We appreciate your patience during this work and welcome any feedback. Thank you for being a ETRN customer. Please contact us if you have any questions.
We Answer Your Questions: FAQ
Q: What is the maximum e-mail attachment size?
A: The ETRN.com e-mail servers do not limit the size of individual e-mail attachments. The ETRN.com e-mail servers do impose a 400 MB maximum total message size limit. Individual customers can choose a smaller message size limit. We can also customize the handling of "over-sized" e-mails. Please contact us to discuss your specific needs. A couple of important facts:
1. Attachments are typically encoded in what is called Base64[1]. As a result, the actual length of MIME-compliant Base64-encoded binary data is usually about 137% of the original file size.
2. E-mails often contain both plain text and HTML components. This also increases the overall size of the e-mail.