CVE-2015-1641

What Is Microsoft Office RTF Handling?

Rich Text Format (RTF) is a document format Microsoft Word has supported since the 1980s. RTF files encode document content using a tag-based text format that supports complex document features including embedded objects, styled text, tables, and images. Word's RTF parser is a large, complex subsystem with a long history of security vulnerabilities — RTF's complexity and legacy code paths make it a consistent source of memory corruption bugs.

Malicious RTF documents are a favored delivery mechanism for targeted attacks because RTF files can exploit Word's parser without requiring macros (which trigger security warnings) and are often trusted by email security gateways that whitelist .doc and .rtf file types.

Overview

CVE-2015-1641 is a memory corruption vulnerability in Microsoft Office (specifically Word's RTF parser) that allows remote code execution when a user opens a specially crafted RTF document. The vulnerability was exploited by multiple APT groups — including the Taidoor malware campaign associated with Chinese-nexus threat actors — in targeted spear-phishing attacks against government and enterprise targets. Patched in MS15-033 (April 14, 2015). Notably, CVE-2015-1641 was included in CISA's inaugural Known Exploited Vulnerabilities catalog in November 2021, reflecting its sustained use in targeted attacks.

Affected Versions

Systems patched with MS15-033 are not vulnerable.

Technical Details

Root Cause: RTF Parser Out-of-Bounds Write

CVE-2015-1641 involves an out-of-bounds write (CWE-787) in Microsoft Word's RTF parsing code. When Word processes a specially crafted RTF file, it mishandles specific RTF control words or property values in a way that writes data beyond the bounds of an allocated heap buffer.

The out-of-bounds write can corrupt adjacent heap metadata or object pointers. With precise heap manipulation (achievable through careful RTF structure), an attacker can overwrite a function pointer or vtable pointer in an adjacent Word object — redirecting execution to attacker-controlled code when that pointer is used.

Attack Delivery

The standard attack pattern:

1. Spear-phishing email — attacker sends target a malicious RTF file via email (as .doc, .rtf, or renamed extension)
2. Document opened — target opens the document in Microsoft Word
3. RTF parser triggered — Word parses the malicious RTF structure
4. Memory corruption — the out-of-bounds write corrupts heap memory
5. Code execution — attacker-controlled code runs in the context of the Word process (typically the logged-in user)

Attack Characteristics

Discovery

Reported to Microsoft and patched in MS15-033 (April 2015). Microsoft credited multiple security researchers. The vulnerability was observed being exploited in targeted attacks prior to the patch being available.

Exploitation Context

• Inaugural CISA KEV (November 2021): CVE-2015-1641 was included in the very first iteration of the CISA Known Exploited Vulnerabilities catalog in November 2021, alongside other high-priority historical CVEs — reflecting CISA's assessment that it was still being actively exploited 6+ years after the patch
• Taidoor APT campaign: The Taidoor malware family (attributed to Chinese-nexus threat actors) used CVE-2015-1641 in spear-phishing campaigns targeting Taiwanese government agencies and defense contractors; malicious RTF documents delivered the Taidoor RAT (Remote Access Trojan)
• Taiwan and East Asia targeting: Taidoor campaigns focused heavily on Taiwanese government, military, and defense industrial base targets, consistent with Chinese-nexus APT targeting patterns
• Long exploitation tail: Targeted APT groups reuse reliable exploits against unpatched targets for years after patches are available — particularly effective against organizations with poor patch management or older Office deployments
• CISA KEV (2021): Added November 2021

Remediation

1. Apply MS15-033 (April 2015) or maintain Office with current Microsoft Update. Any Office version updated after April 2015 includes this fix.

2. Enable Office Protected View — opens documents received from email or the internet in a sandboxed read-only mode that prevents exploitation of parser vulnerabilities. Protected View requires an additional user action to enable editing.

3. Disable RTF in Microsoft Word — via Group Policy or registry, Office can be configured to block RTF documents entirely. If RTF is not used organizationally, this eliminates the attack surface.

4. Deploy Microsoft Defender Attack Surface Reduction (ASR) rules — ASR rules can block Office applications from creating child processes, significantly reducing the impact of Office exploitation.

5. Email attachment filtering — configure email gateways to block or sandbox RTF and DOC attachments, requiring manual review before delivery.

6. Keep Office updated — Microsoft releases monthly security updates for Office; maintaining current patch levels eliminates this and similar vulnerabilities.