Published March 8, 2023
Author: Ash Khan

Over the weekend, a proof-of-concept for CVE-2023-21716, a severe vulnerability in Microsoft Word that permits remote code execution, was disclosed.

The vulnerability was given a severity level of 9.8 out of 10. Microsoft Office 365 parent company addressed it in the February Patch Tuesday security patches, along with a handful of remedies.

The low attack complexity, with the lack of access and user engagement necessary to exploit it, determines the severity score.

Last year, security researcher Joshua Drake uncovered the vulnerability in Microsoft Office’s “wwlib.dll”. They gave Microsoft a technical warning with proof-of-concept (PoC) code demonstrating the issue’s exploitability.

A remote attacker can exploit the flaw to execute code with the same privileges as the victim, opening a malicious document in RTF format.

Sending the infected file to a target may be as simple as attaching it to an email, though there are several more options.

Microsoft 365 Office company advises that users do not need to open a malicious RTF document. Furthermore, they warned that merely opening the file in the Preview Pane will initiate the attack.

According to the cybersecurity website researcher, the Microsoft Word RTF parser includes a heap corruption vulnerability that is triggered “when dealing with a font table (*fonttbl*) containing an excessive number of fonts (*f###*).

An attacker could exploit the problem after the memory corruption occurs by using a “well-constructed heap structure.

Tweet-sized PoC

The PoC from the researcher reveals the heap corruption vulnerability stops short of running the Calculator app in Windows, to demonstrate code execution.

No one has reported exploiting the vulnerability, and Microsoft believes that it is “less likely.”

Threat actors are drawn to critical vulnerabilities like this one. Moreover, the more skilled ones attempt to reverse engineer the fix to discover a method to exploit it.

As exploit code gets accessible, a wider pool of attackers begins to exploit the vulnerability. As it takes less work to alter a PoC than it does to create an exploit from scratch.

It is unknown whether the present Proof of Concept can be turned into a full-fledged exploit. However, it just indicates that exploitation is conceivable without demonstrating it.

Moreover, remote code execution in Office 365 is actively pursued as it would facilitate widespread virus distribution.

A similar vulnerability in Microsoft Excel Equation Editor was addressed, although it is still part of certain campaigns today.

Workarounds might backfire

The vendor’s warning for CVE-2023-21716 contains a complete list of Microsoft Office products affected by the issue.

Customers unable to install the update can view emails in plain text format. However, this is unlikely to be adopted because images and rich content are not available.

Another alternative is to enable the Microsoft Office File Block policy. It prohibits Office apps from accessing RTF files from unknown or untrusted sources.

This approach necessitates the modification of the Windows Registry and comes with a warning that if you use Registry Editor incorrectly, you may cause major difficulties that may need the reinstallation of your operating system.

Furthermore, if an “exempt directory” is not specified, users risk being unable to access any RTF document.

Even if a comprehensive attack is presently unavailable and just theoretical, applying the Microsoft security update is the safest approach to address the problem.