Overview

On February 14th, 2023, Microsoft released a security advisory for Microsoft Word regarding a critical remote code execution (RCE) vulnerability. The vulnerability, CVE-2023-21716, was released as a critical severity and deemed “less likely” to be exploited with no Proof of Concept (PoC) exploits attached. However, within the last few days, a PoC exploit for this CVE was released by a security researcher on Twitter.

The Security researcher, Joshua Drake, revealed that remote attackers could leverage the issue to execute code with the same privileges as the victim that opens the malicious .RTF document.

Adding to the concern, many methods exist to deliver the malicious file to victims—one of the easiest options being to attach it to an email in a phishing attempt. 

And, as Microsoft warns users, all it takes to trigger the compromise is to load the file in the Preview Pane. What happens is the Rich Text Format (RTF) parser in Word has a corruption vulnerability that activates when one interacts with the font table (*\fonttbl*) that contains an excessive number of fonts (*\f###*).

What You Can Do

Microsoft has released a few workarounds, the simplest of which requires users to apply the security update which Microsoft shared. Multiple versions of Office have been affected, and there are different instructions for each, including Office 2013, Office 2016, Office 2019, and Office 2021. You can find these at the first link listed below.

Another tip Microsoft recommends for users is to read emails in plain text format. Emails in this format do not include rich content such as pictures, specialized fonts, etc. Thus, this option inhibits users from opening email attachments or any associated malicious links. Reading emails in plain text format is typically not the default for email users and must be configured to read all standard mail in plain text. This Microsoft Knowledge Base Article 831607  guides how to read all standard mail in plain text. 

Another workaround is to enable the Microsoft Office File Block policy, which can stop any Office applications from opening RTF documents of unknown or untrusted origins. To do this, you would need to modify the Windows Registry, and if done incorrectly can cause even more problems to your device.

It is crucial to stay current on the latest exploits and update to the latest versions of software available to protect your devices, applications, and organization from vulnerabilities.

Sources

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 – Microsoft Updatehttps://nvd.nist.gov/vuln/detail/CVE-2023-21716 – NIST NVDhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21716 – CVE-2023-21716https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/