Fewer vulnerabilities were found in RTF because this document format does not offer the extensive functionality, such as DOC files from Microsoft Word. In theory, less functionality means less usable options for bad intentions. Therefore, the RTF format is often used for the supposedly secure exchange of documents. Most office programs can read RTF files and the format offers enough possibilities to make a text appealing. On the other hand, RTF documents have more functionality than text files. With a pure text format however, there is little opportunity for an appealing design of the content. So RTF seems to be the best compromise between functionality and security.
How The Attack Works
However, other files can be embedded in RTF documents. The security providers described how users should be made to click on such an embedded malicious file via a social engineering attack. Users can open such a file in Windows directly from Wordpad. Experts report that the malicious RTF document contains instructions for the user to open the embedded file. The supposed confirmation of receipt is actually a CPL for the Windows Control Panel. The CPL file started in this way in the RTF document then downloads the malware – an unusual way of spreading malware.
The Embedded RTF Malware
As a user, keep in mind that there are few legitimate reasons to embed a file in an RTF document. If you have this case, you should be careful. Appropriate training of employees is therefore advisable, but experience has shown that it is not safe. Organizations can protect their endpoints with anti-spam or anti-malware software that scans email and or network traffic. Another option would be network devices that identify embedded files via deep inspection.
Of course, RTF files can also be completely blocked in contrast to DOC and PDF files. They are not used that often. However, this does not stop the dangers posed by possible malware in other file attachments. This gives us the option of simply blocking all file attachments from external email addresses. But this drastic measure is guaranteed to have a negative impact on business. Given all of these tradeoffs, the most reliable way to deploy anti-malware software on the endpoints is to use network devices such as intrusion prevention systems, anti-malware appliances or next-generation firewalls.
