Proof of concept of the CVE-2023-21716 vulnerability in Microsoft Word has been released, which enables remote code execution and is deemed critical.
Microsoft has rated this vulnerability with a severity score of 9.8 out of 10 and addressed it in the February Patch Tuesday security updates and a couple of workarounds.
The severity score is primarily attributed to the vulnerability’s low attack complexity and ability to be exploited without requiring elevated privileges or user interaction.
POC Leverages Heap Corruption Vulnerability
Security researcher Joshua Drake uncovered a vulnerability in Microsoft Office’s “wwlib.dll” and sent a technical advisory containing proof-of-concept (PoC) code that illustrated the exploitability to Microsoft.
A remote attacker could potentially leverage the flaw to execute code with the same permissions as the victim who opens a .RTF document. Distributing the file to a victim could be as simple as attaching it to an email, although numerous other methods are available.
Microsoft cautions that users do not need to open the RTF document, and simply loading the file in the Preview Pane is sufficient for compromising the system.
The researchers clarify that The RTF parser in Microsoft Word has a heap corruption vulnerability triggered when dealing with a font table (\fonttbl) that contains an excessive number of fonts.
After the memory corruption occurs, there is additional processing, and the threat actor could exploit the bug for arbitrary code execution by employing a properly crafted heap layout.
The researchers’ PoC demonstrates the heap corruption issue but does not go as far as launching the Calculator app in Windows to exhibit code execution.
There is no indication that the vulnerability is being exploited in the wild, and Microsoft’s current assessment is that exploiting the issue is less likely.
However, remote code execution in Microsoft Word is highly desirable and would enable the widespread distribution of malware via email.
A comparable vulnerability in the Microsoft Excel Equation Editor has already been patched but is still used today in some campaigns.
Workarounds Can Be Risky
The vendor’s advisory for CVE-2023-21716 contains a complete list of the Microsoft Office products affected by the vulnerability.
For users unable to apply the fix, Microsoft suggests reading emails in plain text format, a solution that is unlikely to be adopted due to the inconvenience of lacking images and rich content.
Enabling the Microsoft Office File Block policy prevents Office apps from opening RTF documents from unknown or untrusted sources.
However, this method necessitates modifying the Windows Registry and warns that if you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Furthermore, users who have not established an “exempt directory” risk being unable to open any RTF document. Although a complete exploit is not available, installing the security update from Microsoft remains the safest approach to address the vulnerability.