Subj : Re: PDF Issue
To   : Ed Vance
From : Ky Moffet
Date : Thu Oct 31 2024 16:21:00

ED VANCE wrote:
> August, Re: text files made with Wordpad have a .rtf extension.
> 
> I recall sometime back reading someone saying rtf files could contain unwanted
> code that may cause computer problems
> 
> Would You or Anyone Else here post a Link or Comment about what I am curious
> about.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

https://bufferzonesecurity.com/the-beginners-guide-to-rtf-malware-reverse-engineering-part-1/

https://foxptr.medium.com/analyzing-rtf-documents-5bb45071adfd

https://www.opswat.com/blog/malicious-rtf-file

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/

However, a malicious RTF will only do something if the file is opened in 
an executable-aware application like Microsoft Word, that is capable of 
dealing with OLE objects. RoughDraft just ignores scripts and embeds 
(and anything else it doesn't understand), and probably Atlantis and 
AbiWord will likewise just look at you funny.

Wordpad can be externally hijacked (same as any executable can be), but 
AFAIK not by a malicious document. I don't know about LibreOffice.

However, there used to be a setting in MSFT Word to disallow execution 
of scripts, and I thought that became the default some years back. But I 
don't use it so I don't keep track.

https://downtownmanagedservices.com/blog/2023/10/11/wordpad-woes-how-dll-hijacking-vulnerability-can-compromise-your-windows-10-security/

Note that this requires that you actively download malware first. It 
doesn't just arrive out of the blue.

In practice, I've never heard of either being done, nor have I ever seen 
a malicious RTF. It's much easier to get the target to open a .DOC file, 
and the techniques for hiding malicious scripts in DOC files are much 
more widely known.

PDFs can likewise carry malicious scripts.
 þ RNET 2.10U: ILink: Techware BBS þ Hollywood, Ca þ www.techware2k.com

--- QScan/PCB v1.20a / 01-0462
 * Origin: ILink: CFBBS | cfbbs.no-ip.com (454:1/1)

.