MS Word zero day does not affect WordPad

MS Word zero day does not affect WordPad

Summary: WordPad, the free, simple word processor that comes with Windows, is not vulnerable to the zero day RTF bug affecting Word. Will Office 2003 be fixed? [Updated with Microsoft statement.]

TOPICS: Security, Microsoft

Microsoft has updated their recent security advisory for Microsoft Word to indicate that Windows WordPad is not vulnerable to the same issue. Accordingly it can be used as a safe workaround for reading and editing RTF documents.

The vulnerability is a remote code execution vulnerability which allows an attacker to gain control of the system when a user opens a malicious RTF file in Microsoft Word. All versions of Microsoft Word are vulnerable to the attack. Microsoft had also announced that they "...are aware of limited, targeted attacks directed at Microsoft Word 2010." They have not announced when a fix will be released for the vulnerability or if it will be on a regularly-scheduled Patch Tuesday or "out of band".

Note that Tuesday, April 8 will be the last scheduled patch day for Office 2003, which is among the affected products. We have asked Microsoft whether it is possible, if it is not complete before April 8, that a fix for Word 2003 might be released after that date. [Thanks to F-Secure's Sean Sullivan for the tip.]

[UPDATE: Asked about the Office 2003 and when it might be addressed, a Microsoft spokesperson said "we are working around the clock to address the issue and will take appropriate action to help protect customers".]

They also announced in the update that the online versions of Microsoft Word in Office 365 are vulnerable to the attack. A Microsoft spokesperson said: "Customers with Office 365 subscriptions are impacted by the issue and can help protect themselves by using the mitigations offered in Security Advisory 2953095."

WordPad uses RTF files as its default format. Windows 7 and 8 users can open RTF documents in WordPad and save them in Word's native .DOCX format. WordPad calls these "Office Open XML Document[s]". Files saved by Word as RTF do not present a problem with respect to this vulnerability.

Microsoft had also released a "Fix it" which disables support for RTF files. Until a fix is available, Windows users can change the default handler for RTF files to WordPad.



Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • LibreOffice, anyone???

    Subject says it all.
    • Unrealistic in the enterprise

      Unworkable for enterprises who have already standardized on MS Office and can't change directions at the drop of a hat. Individuals and small businesses? Absolutely an option. Except for this problem:
    • Ha

      Yeah, who would write a virus for that?
      Rann Xeroxx
  • LS: "Windows users can change the default handler for RTF files to WordPad"

    Will this override Word being the default editor/viewer for MS Outlook?
    Rabid Howler Monkey
    • it should

      I haven't done any testing, but i think it would. in any case, the Fix it removes whatever association Outlook had with Word for RTF.
  • Fix-It

    There is a Fix-It for this that simple disables Word from opening RTF files. It prompts the user and allows them to reenable if they like.
    Rann Xeroxx