A proof of concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, was released over the weekend.
The vulnerability was assigned a severity score of 9.8 out of 10, with Microsoft addressing it in the February Patch Tuesday security updates along with some workarounds.
The severity score is mainly given by the low complexity of the attack coupled with the lack of privileges and user interaction required to exploit it.
Last year, security researcher Joshua Drake discovered the vulnerability in Microsoft Office’s “wwlib.dll” and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing that the issue is exploitable.
A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim who opens a malicious .RTF document.
Delivering the malicious file to a victim can be as simple as an email attachment, although there are many other methods.
Microsoft warns that users do not have to open a malicious RTF document and simply load the file into the preview pane for the compromise to begin.
The researcher explains that Microsoft Word’s RTF parser has a heap corruption vulnerability that is triggered “when it is a font table (*\fonttbl*) that contains an excessive number of fonts (*\f# ##*)”.
Drake says there is additional processing after the memory corruption and that a malicious actor could exploit the bug to execute arbitrary code using “a properly designed heap layout”.
Researcher’s PoC shows the heap corruption problem but stops before launching the Calculator app in Windows, to demonstrate code execution.
Initially, the PoC consisted of just over ten lines, including comments. Since report sent to Microsoft in November 2022, the researcher cut a few lines and managed to fit everything into a tweet:
At this time, there is no indication that the vulnerability is being exploited in the wild and Microsoft’s current assessment is that taking advantage of the issue is “less likely”.
Critical vulnerabilities like this attract the attention of threat actors, with the advanced ones trying to reverse engineer the patch to find a way to exploit it.
Typically, when exploit code becomes available, a larger group of attackers begin to use the vulnerability because less effort is required to modify a PoC than to create an exploit from scratch.
It’s unclear if Joshua Drake’s current PoC can be turned into a full-fledged exploit, as it only shows that the exploit is possible without proving it.
However, this remote code execution in Microsoft Word is highly coveted and would allow widespread distribution of malware via email.
A similar vulnerability in Microsoft Excel Equation Editor has long since been patched and is still used today in some campaigns.
Workarounds Could Backfire
A complete list of Microsoft Office products affected by the vulnerability is available on the vendor’s website. advisory for CVE-2023-21716.
For users who cannot apply the patch, Microsoft recommends reading emails in plain text format, which is unlikely to be adopted due to the resulting inconveniences (lack of images and rich content) .
Another solution is to enable the Microsoft Office File Block policy, which prevents Office applications from opening RTF documents of unknown or untrusted origin.
This method requires editing the Windows Registry and also comes with a caveat: “If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your system. exploitation”.
Additionally, if a “exempt directory” has not been set, users run the risk of not being able to open any RTF document.
Although a full exploit is currently unavailable and only theoretical, installing Microsoft’s security update is still the safest way to address the vulnerability.