How an RTF file can install a virus when opened

There is an analysis by Rob Rachwald over on the Imperva Data Security Blog of how an RTF document can carry a virus, in this case a trojan executable. RTF (RIch Text Format) is generally considered safer than the Microsoft Office .DOC format since it cannot include macros; but the vulnerability in this case is in the software that parses the RTF when it is opened in Microsoft Office on Windows or Mac – though in this case the actual payload is Windows-only so would not normally affect Mac users.

Unfortunately this code may run when previewing a document in Outlook, which normally embeds Word, so it is potentially rather damaging.

Rachwald traces how the embedded trojan evades anti-virus, installs itself into the Windows system32 folder, and creates a remote shell application.

It does appear that the vulnerability was patched in November 2010. Still, it is interesting that the insecure code survived in Microsoft Office at least back to Office XP Server Pack 3 in 2004 and probably earlier.

I mention it partly because the analysis is a good read, and partly to highlight the fact that even RTF documents may not be safe.