Over the weekend, a proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that permits remote code execution, was published.
The vulnerability was assigned a 9.8 out of 10 severity rating, and Microsoft addressed it with a couple of workarounds in the February Patch Tuesday security updates.
The severity rating is primarily determined by the low attack complexity and the lack of required privileges and user interaction.
Last year, security researcher Joshua Drake discovered the flaw in Microsoft Office’s “wwlib.dll” and sent Microsoft a technical advisory containing exploitable proof-of-concept (PoC) code.
A remote attacker could exploit this vulnerability to execute code with the same privileges as the victim when the victim opens a malicious website.
Delivering the malicious file to a victim is as simple as attaching it to an email, although there are numerous other delivery methods.
Microsoft warns that users do not need to open a malicious RTF document for the compromise to begin; simply loading the file in the Preview Pane is sufficient.
The researcher explains that Microsoft Word’s RTF parser is susceptible to heap corruption “when dealing with a font table (*fonttbl*) containing an excessive number of fonts (*f###)”
Drake states that additional processing occurs after memory corruption, and a threat actor could exploit the vulnerability to execute arbitrary code by using “a properly crafted heap layout.”
The researcher’s proof of concept demonstrates heap corruption but does not launch the Windows Calculator application to demonstrate code execution.
Initially, the PoC consisted of approximately twelve lines, including comments. Since the report submitted to Microsoft in November 2022, the researcher has shortened a few lines and managed to fit everything into a tweet:
Currently, there are no indications that the vulnerability is being exploited in the wild, and Microsoft has determined that exploitation is “less likely.”
Critical vulnerabilities such as this one attract the interest of threat actors, with the more sophisticated ones attempting to reverse engineer the patch to find a way to exploit it.
Since it requires less effort to modify a Proof-of-Concept than it does to create an exploit from scratch, when exploit code becomes available, a larger number of attackers typically begin utilising the vulnerability.
It is unknown whether Joshua Drake’s current proof-of-concept can be weaponized into a full-fledged exploit, as it only demonstrates that exploitation is possible without proving it.
This remote code execution in Microsoft Word, however, is highly sought after and would enable the widespread distribution of malware via email.
A similar vulnerability in the Microsoft Excel Equation Editor has been patched for quite some time, but it is still used in some campaigns today.
Workarounds Could Backfire
The vendor advisory for CVE-2023-21716 contains a comprehensive list of the Microsoft Office products affected by the vulnerability.
Microsoft recommends that users who cannot apply the fix read emails in plain text format, which is unlikely to be adopted due to the resulting inconveniences (lack of images and rich content).
Enable the Microsoft Office File Block policy to prevent Office applications from opening RTF files from unknown or untrusted sources.
This method requires editing the Windows Registry and comes with the following warning: “If you use Registry Editor incorrectly, you may cause serious problems that require reinstalling the operating system.”
In addition, if a “exempt directory” has not been specified, users risk being unable to open any RTF file.
Even though a complete exploit is currently unavailable and only hypothetical, installing the Microsoft security update remains the safest way to address the vulnerability.