Microsoft’s Malware Protection Center issued a warning this week that it has spotted malicious code on the Internet that can take advantage of a flaw in Word and infect computers after a user does nothing more than read an e-mail.
The flaw was addressed in November in a fix issued on Patch Tuesday, but with malicious code now spotted in the wild, the protection center apparently wants to be sure the update wasn’t overlooked.
In a MMPC blog post;
The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack.
According to Joshua Talbot, security intelligence manager at Symantec Security Response;
One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious e-mail to be infected. All that is required is for the content of the e-mail to appear in Outlook’s Reading Pane. If a user highlights a malicious e-mail to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious e-mail is the most recently received in their in-box; that e-mail will appear in the Reading Pane by default and the computer will be infected.
Microsoft has also made a Fix available and recommends that users of Microsoft Office install the fix. You can check for updates: Click the Start button > All Programs, and then click Windows Update.
Details of the MS10-087 update, including which software versions are affected, can be found here.