Last week, cybersecurity researcher Joshua Drake published a proof-of-concept for a vulnerability in Microsoft Word describing a way for threat actors to deliver malware (opens in new tab) without users ever having to open a file.
The vulnerability is tracked as CVE-2023-21716. It has been given a severity score of 9.8 and is considered critical because it allows remote code execution.
BleepingComputer reported that Microsoft has fixed the issue in the February Patch Tuesday cumulative update.
No evidence of abuse
Those who don’t apply the patch risk their endpoints being compromised just by loading a malicious .RTF document into the preview window.
According to Drake’s report, the RTF parser in Microsoft Word contains a heap corruption error that can be triggered “when dealing with a font table that contains an excessive number of fonts.” In addition, the vulnerability is relatively easy to write, because the entire code fits in one tweet.
On the other hand, Microsoft assured users that threat actors actually exploiting the flaw are “less likely”, adding that there is no evidence that this has happened in the wild. Honestly, we can’t say for sure whether Drake’s PoC can be weaponized or not, because they only showed exploitation in theory.
For those who don’t want to risk anything, the best way to stay protected is to apply Microsoft’s cumulative update published in February’s Patch Tuesday. Those who cannot apply the fix for any reason should read emails in plain text or enable the Microsoft Office File Block policy, which prohibits Office apps from opening RTF documents that come from untrusted sources.
However, the latter requires a bit more skill, as the Windows registry needs to be modified. Additionally, “Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system,” warns Microsoft.
If you don’t set an “exempt folder”, you may not be able to open an RTF document.
Via: Bleeping Computer (opens in new tab)