Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Microsoft .RTF vulnerability thoughts/actions?

So, some of my clients are asking about the recent .RTF file vulnerability with Microsoft Word.



My question, will the IronPort appliances identify e-mails containing this malware be blocked?


What actions are administrators taking to mitigate this?   


Just asking...

New Member

Found a discussion where it

Found a discussion where it is possibly an executable file embedded in the .RTF file that contains the malware.  Our environment removes certain executable attachments including .exe from e-mails but our IronPort appliances did not remove an embedded .exe file from a test .rtf file.  It will remove .exe files from archive files ie .zip  Just further info.

Cisco Employee

The Sophos engine running on

The Sophos engine running on the ESA/WSA is configured to look inside rtf files for embedded objects. Sophos has classified the threat as Exp/20141761-A related to (CVE-2014-1761) and rules are in place since 25 Mar 2014 03:16:52 (GMT) from Sophos. The Sophos engine on ESA/WSA has received update shortly after Sophos' release.

Also related to:

From Cisco Security Center:

(which includes the following:)

Cisco Web and Email Security

Mitigation: Web Security

Cisco Web Security Appliances (WSA) can filter and protect corporate networks against web-based malware and spyware programs that can compromise corporate security and expose intellectual property. They operate as a proxy and can provide user- and group-based policies that filter certain URL categories, web content, web application visibility and control (AVC), websites based on web reputation, and malware. The WSA can also detect infected clients and stop malicious activity from going outside the corporate network using the L4 Traffic Monitor (L4TM). Policies can be configured using a web GUI. A CLI can also be used. The WSA includes protection for standard communication protocols, such as HTTP, HTTPS, FTP, and SOCKS.

To operate with network devices such as routers and firewalls, the WSA uses the Web Cache Communication Protocol (WCCP). With WCCP, content requests are transparently redirected to the WSA, which acts based on its configuration. Users do not need to configure a web-proxy in their browsers. In Cisco IOS, WCCP is enabled using the ip wccp commands and in the Cisco ASA using the wccp commands.

Cisco WSA can be used to mitigate MS14-017, MS14-019, and MS14-020 by filtering web traffic based on the following:

  • low-reputation URL  destinations
  • .rtf or .pub file types
  • .rtf or .pub malicious files

For more information, see the ASA: WCCP Step-by-Step Configuration document in the Cisco Support Community and the Cisco AsyncOS Web User Guide (PDF).

Mitigation: Email Security

Cisco Email Security Appliances (ESA) eliminate email spam and viruses, enforce corporate policy, and secure the network perimeter. They operate as an SMTP gateway, also known as a mail exchanger or MX. They can filter virus, spam, and phishing outbreaks. They also provide email encryption, message filtering, anti-spam services, antivirus services and more.

Cisco ESA can be used to mitigate MS14-017 and MS14-020 by filtering messages based on an attachment type of .rtf or .pub.

Filter actions allow messages to be dropped, bounced, archived, blind carbon copied, or altered.

Filters can also generate notifications.

For more information, see the Cisco AsyncOS Email Configuration Guide (PDF).


CreatePlease to create content