Yesterday, Microsoft announced a vulnerability in Microsoft Word which can allow remote code execution:

http://technet.microsoft.com/en-us/security/advisory/2953095

http://www.it.cornell.edu/services/alert.cfm?id=3116

Emergency action taken by ChemIT last night, and by Arts and Sciences this morning:

We made a change so that all Windows computers on Active Directory will not open up *.rtf files with MS Word. Instead, those files will open up in Microsoft WordPad. Also, MS Office 2013 will advise users when it opens that it is not set up to open all text documents by default. That is obviously intended.

This was done following Microsoft’s recommendation to “Disable opening RTF content in Microsoft Word.” We were especially aggressive since a conceivable vector for this “zero day” vulnerability is that users may be tricked into opening malicious *.rtf files sent as email attachments. And on most Cornell computers these will open up in MS Word (both on Macs and Windows computers). And we could quickly and confidently take these steps with Windows computers on Cornell’s Active Directory without high risk.

Not included in this change are Macs or any Windows computers not on Active Directory. On those systems with MS Word, they will by default open an *.rtf file into MS Word.

What you can do:

As always, don’t open email attachments you don’t trust. And at least in the short-term, take care not to open *.rtf files in MS Word. If you must open up an *rtf file, simply use the free word processor which comes with your operating system (WordPad on Windows, and TextEdit on the Mac).

Also, for ChemIT-managed Cornell computers, please report to us any negative consequences which may have occurred due to this emergency change.

Future expectations:

We in ChemIT do not have long-term plans. ChemIT hopes Microsoft will address this issue soon, perhaps with an update to MS Word. Our ideal situation is that we can safely revert the change made as at least a stop-gap measure.