LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > Microsoft Word Remote Code Execution Vulnerability (CVE-2023-21716)

Latest news

Microsoft Word Remote Code Execution Vulnerability (CVE-2023-21716)

Posted on

On the 14th February 2023, Microsoft released a security advisory detailing CVE-2023-21716 – a Remote Code Execution (RCE) vulnerability affecting a variety of Office, SharePoint, and 365 Application versions. The vulnerability has been assigned a CVSSv3.1 score of 9.8 (CRITICAL), given the ease of exploitability and minimal victim interaction required. 

Given that there is now PoC code in the wild and that RTF extensions are commonly permitted through mail gateways Prism Infosec is advising its clients which use the Microsoft Office suite that they should ensure that this issue is suitably remediated in their environments.

Vulnerability Impact:

An unauthenticated attacker may attempt to exploit a heap corruption vulnerability in Microsoft Word’s Rich-Text Format (RTF) parser to achieve arbitrary command execution on the target machine in the event an unsuspecting victim opens a malicious .RTF document. The limitation here, however, is that an attacker may be required to successfully deliver and entice a victim to open the malicious document. 

Microsoft’s security advisory has also noted that opening the malicious file may not be at all necessary and the exploit could be triggered via the Preview Pane. Recently, security researcher Joshua J. Drake published a Proof-of-Concept (PoC) script for generating .RTF files which may trigger the issue. Availability of exploit code usually leads to an influx of opportunistic attackers, as they may trivially modify an existing PoC rather than developing an exploit from scratch.

Vulnerability Fixes / Workarounds:

Microsoft has addressed the vulnerability on the 14th of February as part of “Patch Tuesday”, and advises that the safest way to remediate the issue is to apply the security update for the affected products. For those users who are unable to update, the following workarounds are suggested:

  • Use the Registry Editor to configure a Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. Microsoft caveats this approach stating, “If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system.”
  • Configure Microsoft Outlook to read all mail in plain text – however, it should be noted that this approach may impact user experience due to the lack of images and rich content.
  • Ensure that Internet inbound files with RTF extensions are quarantined by mail gateways, mail servers, and/or cloud services.

References:

https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

FILTER RESULTS

Latest tweets

A great conference @BSidesLondon, thanks for having us at #BSidesLDN2024! Looking forward to continuing the relationship next year!

Prism Infosec is proud to be a gold sponsor of @BSidesLondon 2024! Come and visit us on our stand and join in our cyber scavenger hunt! #CyberSecurity #bsides

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.