CVE-2010-3333

What is RTF and Microsoft Office?

Rich Text Format (RTF) is a document format developed by Microsoft in 1987, designed to allow formatted text exchange between different word processing systems. Microsoft Office applications — particularly Word — include extensive RTF parsing code to handle the complex RTF specification, which supports a wide range of formatting, embedded objects, OLE objects, drawing objects, and shape properties. RTF files use control words (backslash-prefixed keywords) and groups (brace-delimited) to describe document structure. The complexity of RTF parsing — including legacy compatibility code for decades of format extensions — made the Office RTF parser a consistent source of memory safety vulnerabilities.

Overview

CVE-2010-3333 is a high-severity stack-based buffer overflow vulnerability (CWE-787, CVSS 7.8) in Microsoft Office's RTF parser. A specially crafted RTF document with a malformed pFragments shape property triggers a stack overflow in the Office drawing object processing code, enabling remote code execution when the document is opened. This vulnerability was actively exploited as a zero-day in targeted attacks before Microsoft issued the patch in Security Bulletin MS10-087 (November 2010 Patch Tuesday). CISA added to KEV in March 2022.

Affected Versions

Technical Details

The stack-based buffer overflow (CWE-787) exists in the Office RTF parser's handling of drawing object shape properties. RTF supports drawing objects (\do control word) with associated shape properties; the pFragments property is used to describe polygon path data for drawing shapes. The vulnerable code allocates a fixed-size stack buffer to store pFragments data and copies property content into it without validating that the input length fits within the allocated buffer.

A specially crafted RTF file with a pFragments shape property containing excess data causes the stack buffer to overflow, overwriting the saved return address on the stack. By controlling the content written past the buffer, an attacker can redirect code execution to arbitrary code — typically shellcode embedded within the RTF file or a ROP chain that bypasses DEP.

The vulnerability affected all Microsoft Office applications that parse RTF (Word, Outlook, and components that render RTF preview), making email-delivered malicious RTF attachments a high-value attack vector. Malicious .RTF files were routinely renamed to .DOC to avoid extension-based filtering.

Discovery

Reported to Microsoft by security researchers who identified active zero-day exploitation in targeted attack campaigns. Microsoft issued Security Advisory 2293194 on October 28, 2010, acknowledging the zero-day and providing a workaround (opening RTF files in Protected View or blocking RTF in Outlook). The November 2010 Patch Tuesday patch was released approximately 12 days after the security advisory — a rapid patching response for a Patch Tuesday cycle.

Exploitation Context

RTF parser vulnerabilities were a primary tool for targeted cyber espionage in 2010 and remained useful for years afterward:

• Targeted espionage before patch: The zero-day exploitation suggests use by advanced persistent threat (APT) actors targeting high-value organizations. RTF was a particularly useful delivery format because Word opened RTF files from email attachments without the Protected View sandbox that newer Office versions applied to Office Open XML documents.
• Email attachment delivery: Malicious RTF files (or files with .DOC extension that were actually RTF format) were delivered as spear phishing attachments. Microsoft Outlook also rendered RTF in email previews, potentially triggering exploitation without the user opening any attachment.
• Long post-patch exploitation: After the patch, unpatched Office installations — particularly Office 2003 and XP — continued to be vulnerable. Office 2003 remained in enterprise use years past its 2014 end-of-life date.
• Metasploit availability: Public exploit code for CVE-2010-3333 was developed and added to Metasploit, making the vulnerability accessible to less sophisticated attackers after the initial APT use.
• RTF as persistent attack surface: The RTF format itself continued to yield vulnerabilities (CVE-2012-0158, CVE-2014-1761) following CVE-2010-3333, as the complexity of the legacy parser made comprehensive fixes difficult.

Remediation

1. Apply MS10-087: Install the November 2010 Patch Tuesday security update for all affected Office versions.
2. Upgrade Microsoft Office: Office XP, 2003, and 2007 are end-of-life. Upgrade to Office 2019, 2021, or Microsoft 365.
3. Protected View: Enable Protected View for email attachments and internet-sourced files — this sandboxes Office document parsing and prevents direct exploitation.
4. Block RTF in Outlook: Use Outlook's registry-based file type blocking to prevent RTF file rendering in email (set the Level1Remove key). Modern Exchange Online and Microsoft Defender for Office 365 apply similar restrictions automatically.
5. Attack Surface Reduction (ASR): In Microsoft Defender for Endpoint, enable the ASR rule "Block Office applications from creating executable content" and related rules to limit post-exploitation capabilities.