It is a heap corruption vulnerability in Microsoft Wordβs RTF parser that, if triggered, allows attackers to achieve remote code execution with the privileges of the victim.
The flaw does not require prior authentication: attackers can simply send a booby-trapped RTF file to the victim(s) via email.
Older versions may also be affected but were not tested. Furthermore, the technical details of this vulnerability have evolved over the years.
Mitigations
Microsoft Office 2010 and later use Protected View to limit damage caused by malicious documents procured from untrusted sources. Protected View is in effect when this vulnerability manifests and thus an additional sandbox escape vulnerability would be required to gain full privileges.
β Removing the file association for the RTF extension is ineffective because using a DOC extension will still reach the vulnerable code.
open("exploit.rtf", "wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rt''lch no crash??}\n}}\n").encode('utf-8'))
