A proof-of-concept for the critical Microsoft Word vulnerability tracked as CVE-2023-21716 has been made publicly available. The bug has been rated 9.8 out of 10 on the CVSS scale and has already been addressed in Microsoft’s February Patch Tuesday a set of updates alongside other fixes and improvements.
The vulnerability was discovered by security researcher Joshua Drake last year and allows a remote attacker to run code with the same privileges as the user opening the malicious RTF document that contains the payload. Drake disclosed the bug to Microsoft in November 2022 in a technical advisory which included the now public proof of concept (PoC) code.
Upon further investigation, Microsoft discovered that opening the file isn’t necessary, as the exploit will run even if the file is loaded in the Windows preview pane. The issue lies in the RTF parser in Microsoft Word which has a heap corruption vulnerability that gets triggered when a font table with an excessive number of fonts is loaded. Additionally, the bug also affects the “unrtf” open-source software, although this hasn’t been confirmed yet.
Drake also pointed out that there’s additional processing involved after the heap memory corruption which can then be leveraged to run arbitrary code using a “properly crafted heap layout”. Drake’s PoC, which has since been compressed to a few lines shows the heap corruption issue by exploiting the vulnerability and launching the Windows calculator app.
While the issue has already been addressed in the aforementioned February Patch Tuesday set of updates, users who can’t apply the fix are recommended to great emails in plain text format. That said, plain text doesn’t include images and rich content, which means it’s unlikely to be used, especially when dealing with email.
Another workaround is to enable the Microsoft Office File Block policy, which prevents Word from opening RTF files from unknown origins. That said, the workaround involves editing the Windows registry which if done incorrectly, can cause OS corruption. At the time of writing, installing the update provided by Microsoft remains the best way of dealing with the issue.
In the News: Outlook becomes free to use on Mac