contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > Microsoft Word Remote Code Execution Vulnerability (CVE-2023-21716)

Latest news

Microsoft Word Remote Code Execution Vulnerability (CVE-2023-21716)

Posted on by Prism Infosec

On the 14th February 2023, Microsoft released a security advisory detailing CVE-2023-21716 – a Remote Code Execution (RCE) vulnerability affecting a variety of Office, SharePoint, and 365 Application versions. The vulnerability has been assigned a CVSSv3.1 score of 9.8 (CRITICAL), given the ease of exploitability and minimal victim interaction required. 

Given that there is now PoC code in the wild and that RTF extensions are commonly permitted through mail gateways Prism Infosec is advising its clients which use the Microsoft Office suite that they should ensure that this issue is suitably remediated in their environments.

Vulnerability Impact:

An unauthenticated attacker may attempt to exploit a heap corruption vulnerability in Microsoft Word’s Rich-Text Format (RTF) parser to achieve arbitrary command execution on the target machine in the event an unsuspecting victim opens a malicious .RTF document. The limitation here, however, is that an attacker may be required to successfully deliver and entice a victim to open the malicious document. 

Microsoft’s security advisory has also noted that opening the malicious file may not be at all necessary and the exploit could be triggered via the Preview Pane. Recently, security researcher Joshua J. Drake published a Proof-of-Concept (PoC) script for generating .RTF files which may trigger the issue. Availability of exploit code usually leads to an influx of opportunistic attackers, as they may trivially modify an existing PoC rather than developing an exploit from scratch.

Vulnerability Fixes / Workarounds:

Microsoft has addressed the vulnerability on the 14th of February as part of “Patch Tuesday”, and advises that the safest way to remediate the issue is to apply the security update for the affected products. For those users who are unable to update, the following workarounds are suggested:

  • Use the Registry Editor to configure a Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. Microsoft caveats this approach stating, “If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system.”
  • Configure Microsoft Outlook to read all mail in plain text – however, it should be noted that this approach may impact user experience due to the lack of images and rich content.
  • Ensure that Internet inbound files with RTF extensions are quarantined by mail gateways, mail servers, and/or cloud services.

References:

https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

FILTER RESULTS

Latest tweets

Retweet on Twitter Prism Infosec Retweeted
Innovation News Network @innonewsnetwork ·
25 Mar

Phil Robinson, Principal Consultant at @prisminfosec, details how addressing cyber maturity can improve a business’ cybersecurity strategy.
#CyberMaturity #Cybersecurity

Click the link below to discover more⬇️

Retweet on Twitter Prism Infosec Retweeted
Cyber Essentials @cyberessentials ·
20 Feb

Congratulations to the following companies who are now certified to #CyberEssentials via our great Certification Bodies: Atlantic Limited via @prisminfosec and Ashbrook Research & Consultancy Ltd via @sericsystems

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.