Search
On this page ▾
CVE-2014-1761 — Microsoft Word Memory Corruption Vulnerability

CVE-2014-1761

Microsoft Word — Sandworm Team Zero-Day: RTF Parsing Memory Corruption Used in Spear-Phishing Against Ukraine and NATO Targets
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Microsoft Word?

Microsoft Word is the world's most widely deployed word processing application, part of Microsoft Office (now Microsoft 365). Word supports numerous file formats, including RTF (Rich Text Format) — a decades-old standard for exchanging formatted documents between word processors. RTF parsing is handled by Word's rendering engine and historically has been a significant source of vulnerability: the format's complexity (supporting embedded objects, fonts, and complex formatting instructions) creates a large attack surface for memory corruption bugs. Word documents are ubiquitous in enterprise email, making Word exploits a primary vehicle for initial access in targeted attacks.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on February 15, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-1761 is a memory corruption vulnerability in Microsoft Word's RTF (Rich Text Format) file parser. A specially crafted RTF document triggers an out-of-bounds write during parsing, leading to arbitrary code execution in the context of the Word process. The vulnerability was exploited as a zero-day by Sandworm Team (a Russian state-sponsored APT group) in targeted spear-phishing campaigns against Ukrainian government entities, European defense organizations, and NATO-aligned institutions. Microsoft issued a FixIt workaround before the formal patch and published MS14-017 on April 8, 2014.

Affected Versions

Product Status
Microsoft Word 2003 Vulnerable — patched in MS14-017
Microsoft Word 2007 Vulnerable — patched in MS14-017
Microsoft Word 2010 Vulnerable — patched in MS14-017
Microsoft Word 2013 Vulnerable — patched in MS14-017
Microsoft Word 2013 RT Vulnerable — patched in MS14-017
Microsoft Word Viewer Vulnerable — patched in MS14-017
Office Web Apps 2010/2013 Vulnerable — patched in MS14-017

Technical Details

Root Cause: RTF Parser Out-of-Bounds Write

RTF files use a tag-based format for document structure and formatting. Word's RTF parser handles many complex tag types, including list override tables, font tables, and embedded objects. The vulnerability is in how Word processes a specific malformed RTF structure — a crafted record in the RTF list or font table triggers an out-of-bounds write where attacker-controlled data is written to memory outside the intended buffer.

The resulting corrupted memory state can be leveraged to redirect Word's execution to shellcode. In the wild exploits used heap spray techniques to place shellcode reliably before triggering the corruption.

Why Outlook Preview Pane is a Critical Vector

A particularly dangerous aspect of this vulnerability is that Outlook's preview pane triggers Word's RTF parser when an email containing an RTF attachment is selected for preview — even without double-clicking to open the attachment. This means a user can be exploited simply by selecting a malicious email in their inbox, with no further interaction required.

Attack Characteristics

Attribute Detail
Attack Vector Local (file-based) — delivered via email attachment or download
User Interaction Required (select/open the RTF file or email preview)
Outlook Preview Pane Exploitable without opening the document
Code Execution At the privilege level of the Word/Outlook process user
CWE CWE-787: Out-of-bounds Write

Discovery

FireEye observed active zero-day exploitation in March 2014 during threat intelligence monitoring, attributing the campaign to an advanced persistent threat actor. FireEye reported the vulnerability to Microsoft, which issued a FixIt advisory on March 24, 2014. The formal patch was delivered on the April 2014 Patch Tuesday (MS14-017).

Exploitation Context

  • Sandworm Team attribution: iSIGHT Partners and FireEye attributed the zero-day exploitation to Sandworm Team (also known as Telebots, Voodoo Bear, UAC-0002) — a Russian GRU-linked APT group that later became infamous for the 2015–2016 Ukraine power grid attacks and the 2017 NotPetya wiper malware campaign
  • Targeting: Ukrainian government ministries, EU defense contractors, NATO-affiliated think tanks, and energy sector organizations in Eastern Europe during a period of heightened Russia-Ukraine tensions (preceding the 2014 Crimea annexation)
  • Payload: BlackEnergy malware (a modular backdoor attributed to Sandworm) was delivered via the exploit, establishing persistent access for reconnaissance and later operational stages
  • Spear-phishing delivery: Malicious RTF documents sent via targeted emails to specific individuals in government and defense roles
  • Outlook preview pane exploitation: Reduced required user interaction — victims could be compromised simply by selecting the email in Outlook

Remediation

CISA BOD 22-01 Deadline: August 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS14-017 — the April 8, 2014 security bulletin for Microsoft Word and Office Web Apps.

  2. Enable Protected View in Word: File → Options → Trust Center → Trust Center Settings → Protected View → enable all three "Enable Protected View for..." checkboxes. Protected View opens untrusted documents in a read-only sandbox, preventing exploit code from running.

  3. Disable the Outlook preview pane for RTF emails (or configure Outlook to read all emails in plain text) to prevent silent exploitation via the preview pane.

  4. Microsoft EMET (for legacy systems): Enhanced Mitigation Experience Toolkit can add heap spray detection and ROP chain mitigations to Office applications.

  5. Restrict RTF file processing: In high-security environments, configure Group Policy to block RTF files from opening in Word: Computer Configuration → Administrative Templates → Microsoft Word → Block opening of pre-release file format types.

  6. Monitor for indicators: Sandworm-associated BlackEnergy malware indicators include specific registry persistence keys and unusual process spawning from winword.exe.

Key Details

PropertyValue
CVE ID CVE-2014-1761
Vendor / Product Microsoft — Word
NVD Published2014-03-25
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-787 — Out-of-bounds Write find similar ↗
CISA KEV Added2022-02-15
CISA KEV Deadline2022-08-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-08-15. Apply updates per vendor instructions.

Timeline

DateEvent
2014-03-18FireEye discovers active zero-day exploitation in spear-phishing attacks against government targets
2014-03-24Microsoft Security Advisory 2953095 published; FixIt workaround released
2014-03-25CVE-2014-1761 published by NVD
2014-04-08Microsoft Security Bulletin MS14-017 released (Patch Tuesday); formal patch available
2022-02-15Added to CISA Known Exploited Vulnerabilities catalog
2022-08-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-1761 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS14-017 — Vulnerabilities in Microsoft Word and Office Web Apps Vendor Advisory
Microsoft Security Advisory 2953095 — FixIt Workaround (pre-patch) Vendor Advisory
FireEye / iSIGHT Partners: Sandworm Team and the Ukrainian Power Grid Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML