Yep, Word is integrated with Outlook as the file previewer (Reading Pane) so email attachments have the potential to enact the exploit just by previewing them.
You can turn off Outlook previews for RTF: http://windowsitpro.com/outlook/turning-specific-files-previewing-microsoft- outlook-reading-pane And, also turn off RTF for Word: http://windowsitpro.com/microsoft-office/block-certain-file-types-opening-as sociated-office-applications From: [email protected] [mailto:[email protected]] On Behalf Of Stephen Murley Sent: Tuesday, March 25, 2014 10:38 AM To: [email protected] Subject: [mssms] Microsoft Security Advisory (2953095) New Security Advisory released yesterday http://technet.microsoft.com/en-us/security/advisory/2953095 that affects all versions of Microsoft Word. Usual deal . Remote Code Execution that takes over the computer with the rights of the logged on user. It can be exploited via the usual email attachment, or, more worryingly, "The vulnerability could be exploited when the specially crafted RTF email message is previewed or opened in Outlook while using Microsoft Word as the email viewer". There is a fix-it available which "configures the Microsoft Office File Block policy to prevent the opening of RTF files in supported versions of Microsoft Word." Microsoft is currently aware of "limited, targeted attacks directed at Microsoft Word 2010" _____ <http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
