Microsoft Word RCE vulnerability
This live blog contains information regarding the Microsoft Word RCE vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 7, 2023.
T-Update
This live blog contains information regarding the Microsoft Word RCE vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 7, 2023.
Update March 7, 2023
18:30 | On the 14th of February 2023, Microsoft published their Patch Tuesday updates in which they describe CVE-2023-21716. This vulnerability is a heap corruption vulnerability in Microsoft Word’s RTF parser and allows an unauthenticated attacker to execute arbitrary code or commands with the victim’s privileges.
The vulnerability can be triggered for example by an attachment in an email. Users don’t have to open a malicious RTF document. Simply loading the file in the Preview Plane of, for example, Microsoft Outlook is enough to compromise the system.
On the 5th of March 2023, a proof-of-concept exploit was published. Microsoft has published patches and several workarounds. It is advised to apply any of the mitigative actions.
Background
On the 14th of February 2023, Microsoft published their Patch Tuesday updates in which they describe CVE-2023-21716. This vulnerability is a heap corruption vulnerability in Microsoft Word’s RTF parser and allows an unauthenticated attacker to execute arbitrary code or commands with the victim’s privileges. On the 5th of March 2023, a proof-of-concept exploit was published. Microsoft has published patches and several workarounds. It is advised to apply any of the mitigative actions.
Risk
The vulnerability CVE-2023-21716 has a CVSS score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The CVE-2023-21716 vulnerability is a heap corruption vulnerability in Microsoft Word’s RTF parser and allows an unauthenticated attacker to execute arbitrary code or commands with the victim’s privileges. Users don’t have to open a malicious RTF document. Simply loading the file in the Preview Plane of, for example, Microsoft Outlook is enough to compromise the system.
Microsoft stated there is no indication that the vulnerability is being exploited in the wild. However, now exploit code is publicly available, a larger pool of attackers starts using the vulnerability.
Advice
The vulnerability exists in the following products:
- Microsoft 365 Apps for Enterprise 32-bit and 64-bit editions
- Microsoft Office
- Office 2019
- Office LTSC 2021
- Office Online Server
- Office Web Apps Server 2013 Service Pack 1
- Microsoft Word
- Word 2013
- for RT SP1, SP1 32-bit and SP1 64-bit editions
- Word 2016
- for 32-bit and 64-bit editions
- Microsoft SharePoint
- Enterprise Server 2013 Service Pack 1
- Enterprise Server 2016
- Foundation 2013 Service Pack 1
- Server 2019
- Server Subscription Edition
- Server Subscription Edition Language Pack
- Word 2013
Microsoft has published patches and several workarounds. It is advised to apply any of the mitigative actions.
If patching the vulnerability is not an option, it is advised to apply the workarounds given by Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716.
Sources
More information:
- Microsoft update-guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716
- The public exploit: https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
