Dec 15, 2010 08:57 GMT  ·  By

Security researchers from Trend Micro have spotted malicious RTF files in the wild, which exploit a known Microsoft Office vulnerability to infect users with a trojan.

RTF stands for Rich Text Format and is one of the oldest document formats. It is supported by all versions of Microsoft Word and WordPad.

The RTF-based exploit seen by Trend Micro targets a stack buffer overflow vulnerability affecting all supported Microsoft Office versions.

This remote code execution flaw, identified as CVE-2010-3333, was addressed in the MS10-087 security bulletin released by Microsoft on November 9.

It the flaw is exploited successfully, the malicious RTF files drop a trojan which hides itself by using the name of an already existent service.

The malware injects code into the svchost.exe process in order to contact a remote server from where it receives instructions.

"One of the more serious concerns is that a malicious user could send an RTF-format email to target users," warns Karl Dominguez, threat response engineer at Trend.

"Since Microsoft Outlook uses Word to handle emails, the mere act of opening or viewing specially crafted messages in the reading pane would cause the exploit code to execute," he explains.

In related news, Microsoft just announced plans to backport the "File Validation" feature from Office 2010 to Office 2007 and 2003.

File Validation is a technology that checks the content of .doc, .xls, .ppt and .pub files as they are being read for signs of exploits and other malicious tampering.

In Office 2010, if a potential issue is detected, the files are opened in "Protected View," a read only mode that prevents them from interacting with the system.

In Office 2007 and 2003, the "File Validation" feature, which will become available during the first quarter of next year, is expected to display a warning about the potential insecure content detected inside the files.