Last week, cybersecurity researcher Joshua Drake published a proof-of-concept for a vulnerability in Microsoft Word, detailing a way for threat actors to deliver malware (opens in new tab) without users ever needing to open a file.
The vulnerability is tracked as CVE-2023-21716. It’s been given a 9.8 severity score and deemed critical, as it allows for remote code execution.
BleepingComputer reported that Microsoft fixed it in the February Patch Tuesday cumulative update.
No evidence of abuse
Those that do not apply the patch risk having their endpoints compromised merely by loading a malicious .RTF document in the preview pane.
As per Drake’s report, the RTF parser in Microsoft Word carries a heap corruption flaw that can be activated “when dealing with a font table containing an excessive number of fonts.” What’s more, the vulnerability is relatively easy to write, as its entire code can fit in a single tweet.
On the other hand, Microsoft reassured users that threat actors actually abusing the flaw is “less likely”, adding that there is no evidence this has happened in the wild. Truth be told, we can’t say for certain if Drake’s PoC can be weaponized or not, as they only showed the exploitation in theory.
For those not interested in risking anything, the best way to stay protected is to apply Microsoft’s cumulative update published in the February Patch Tuesday. Those that can’t apply the fix for whatever reason should either read emails in plain text format, or enable the Microsoft Office File Block policy, which bans Office apps from opening RTF documents originating from untrusted sources.
The latter requires a bit more skill, though, as the Windows Registry needs to be tweaked. Furthermore, “if you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system,” Microsoft cautions.
Also, if you don’t set up an “exempt directory”, you might not be able to open any RTF document anymore.
Via: BleepingComputer (opens in new tab)
