CVE-2012-2539

What is Microsoft Word?

Microsoft Word is the world's most widely used word processing application, part of the Microsoft Office suite. Word supports the RTF (Rich Text Format) file format — a legacy document interchange format that encodes text formatting using control words and groups. RTF parsing in Word involves processing a complex, largely unstructured format with many historical quirks. This complexity has made the Word RTF parser a persistent source of memory corruption vulnerabilities over multiple product generations.

Overview

CVE-2012-2539 is an out-of-bounds write vulnerability (CWE-787) in Microsoft Word's RTF parser. Processing a specially crafted RTF document triggers a memory write beyond the bounds of an allocated buffer, leading to memory corruption and arbitrary code execution in the context of the user running Word. Microsoft patched this in Security Bulletin MS12-079 on December 11, 2012.

Affected Versions

Technical Details

RTF (Rich Text Format) uses a nested structure of groups, control words, and data. Microsoft Word's RTF parser allocates buffers based on declared size fields within the format; a malformed RTF document can supply a value that causes the parser to write beyond the end of an allocated buffer (CWE-787: out-of-bounds write).

The CVSS Local attack vector reflects that RTF documents are opened from the local file system (email attachment saved to disk, downloaded file) rather than being directly fetched over the network. User interaction is required to open the malicious document.

RTF-based Word vulnerabilities are particularly dangerous in enterprise environments because:

• RTF files do not trigger macro security warnings — users cannot be warned not to "enable macros"
• RTF is a native Word format, so it opens without compatibility prompts
• The same malicious RTF can be opened by multiple Office versions simultaneously

Discovery

The vulnerability was discovered through security research and coordinated with Microsoft, resulting in inclusion in the December 2012 Patch Tuesday cycle (MS12-079).

Exploitation Context

CISA confirmed in-the-wild exploitation. Word RTF vulnerabilities of this era were heavily used by APT groups in spear-phishing campaigns — a malicious RTF file attached to a targeted email could achieve code execution without any security warnings, making it an effective initial access vector against corporate and government targets.

Remediation

1. Apply MS12-079 on all affected Office installations
2. Keep Microsoft Office updated via Windows Update or Microsoft Update — December 2012 patches should be included in any fully updated Office installation
3. Enable Office Protected View, which opens documents from email attachments and internet sources in a sandboxed read-only mode
4. Configure Office Attack Surface Reduction rules to prevent Word from spawning child processes
5. If RTF is not required, configure Office Group Policy to block RTF file opening in Word