A PoC exploit for CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document, is now publicly available.
Joshua Drake, a researcher, had reported the vulnerability to Microsoft along with a technical advisory and proof-of-concept (PoC) exploit code. The issue has been addressed in the February Patch Tuesday, so now the researcher made the advisory and the PoC available.
How Does the CVE-2023-21716 Vulnerability Work?
It is a heap corruption vulnerability in Microsoft Word’s RTF parser that, if triggered, allows attackers to achieve remote code execution with the privileges of the victim. The flaw does not require prior authentication: attackers can simply send a booby-trapped RTF file to the victim(s) via email.
There is additional processing after the memory corruption occurs, and a threat actor could exploit the CVE-2023-21716 vulnerability by using a specially crafted heap layout.
In the security advisory accompanying the patches, Microsoft confirmed the Preview Pane as an attack vector. Though patching vulnerable products is preferred, the company also offered guidance possible workarounds, which include:
- Configuring Microsoft Outlook to read all standard mail in plain text format
- Using Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.
The following Microsoft products are affected by the CVE-2023-21716 vulnerability, and users are advised to patch their vulnerable products as soon as possible.
|Microsoft 365 Apps
|for Enterprisefor 32-bit and 64-bit editions
|Office 2019for Mac, 32-bit, and 64-bit editionsOffice LTSC 2021for Mac 2021, 32-bit and 64-bit systemsOffice Online ServerOffice Web Apps Server 2013 Service Pack 1
|Word 2013for RT SP1, SP1 32-bit and SP1 64-bit editionsWord 2016for 32-bit and 64-bit editions
|Enterprise Server 2013 Service Pack 1Enterprise Server 2016Foundation 2013 Service Pack 1Server 2019Server Subscription EditionServer Subscription Edition Language Pack
There is no evidence that the CVE-2023-21716 vulnerability is being actively exploited, and Microsoft believes that it is unlikely to be exploited.
Therefore, the safest way to address the vulnerability is to install the security update provided by Microsoft.