MS Word zero day does not affect WordPad

WordPad, the free, simple word processor that comes with Windows, is not vulnerable to the zero day RTF bug affecting Word. Will Office 2003 be fixed? [Updated with Microsoft statement.]

Microsoft has updated  their recent security advisory for Microsoft Word  to indicate that Windows WordPad is not vulnerable to the same issue. Accordingly it can be used as a safe workaround for reading and editing RTF documents.

The vulnerability is a remote code execution vulnerability which allows an attacker to gain control of the system when a user opens a malicious RTF file in Microsoft Word. All versions of Microsoft Word are vulnerable to the attack. Microsoft had also announced that they "...are aware of limited, targeted attacks directed at Microsoft Word 2010." They have not announced when a fix will be released for the vulnerability or if it will be on a regularly-scheduled Patch Tuesday or "out of band".

Note that Tuesday, April 8 will be the last scheduled patch day for Office 2003, which is among the affected products. We have asked Microsoft whether it is possible, if it is not complete before April 8, that a fix for Word 2003 might be released after that date. [Thanks to F-Secure's Sean Sullivan for the tip.]

[UPDATE: Asked about the Office 2003 and when it might be addressed, a Microsoft spokesperson said "we are working around the clock to address the issue and will take appropriate action to help protect customers".]

They also announced in the update that the online versions of Microsoft Word in Office 365 are vulnerable to the attack. A Microsoft spokesperson said: "Customers with Office 365 subscriptions are impacted by the issue and can help protect themselves by using the mitigations offered in Security Advisory 2953095."

WordPad uses RTF files as its default format. Windows 7 and 8 users can open RTF documents in WordPad and save them in Word's native .DOCX format. WordPad calls these "Office Open XML Document[s]". Files saved by Word as RTF do not present a problem with respect to this vulnerability.

Microsoft had also released a "Fix it" which disables support for RTF files. Until a fix is available, Windows users can change the default handler for RTF files to WordPad.