PoC exploit for 'critical' Word vulnerability released
Viewing a specially crafted RTF file can allow remote code execution by an attacker
A security researcher has released a proof of concept exploit for a critical vulnerability in Microsoft Word.
The vulnerability was patched by Microsoft in its latest Patch Tuesday update in February. However, the ubiquity of Microsoft Office and the possibility that users have not applied the patch or taken other protective measures means that hackers will almost certainly attempt to attack the bug.
Microsoft urges users to update their systems or to apply one of two workarounds if patching is not possible.
"An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file," Microsoft says in its advisory for the vulnerability, which is tracked as CVE-2023-21716.
A malicious RTF file attached to an email can trigger an attack even if its contents are viewed in the viewing pane - opening the file is not required.
The first workaround recommended by Microsoft to users who cannot apply the necessary patch is to restrict users to plain text emails.
A second option is to use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.
The remote code execution (RCE) bug has a CVSS score of 9.8 out of 10, putting it in the "critical" category. This score is mostly due to the ease of exploitation, the minimal user interaction and the low levels of permission required. No attacks in the wild have yet been reported.
Security researcher Joshua Drake discovered the memory corruption vulnerability and notified Microsoft. This week he published a proof of concept exploit for the bug.
"A vulnerability within Microsoft Office's wwlib allows attackers to achieve remote code execution with the privileges of the victim that opens a malicious RTF document. The attacker could deliver this file as an email attachment (or other means)," he wrote.
A specially crafted RTF file can corrupt the heap in the font table. An attacker could use a specially crafted RTF file to "cause the heap corruption to yield and arbitrary code execution," Drake said.
Previous bugs in Microsoft Office have become popular targets for state-sponsored hackers. Flaws in the suite's Object Linking and Embedding (OLE) technology, all of which were patched by Microsoft, have topped the list of exploits most commonly attacked by state-sponsored threat groups, published by the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.