Published: March 07, 2023

Overview

A vulnerability (CVE-2023-21716) in Microsoft’s Word wwwlib library allows attackers to get Remote Code Execution with the privileges of the victim when the victim opens a malicious RTF document.

An attacker could deliver this payload in several ways including as an attachment in spear-phishing attacks.

Impact

This is a heap corruption vulnerability which can be exploited by a malicious Microsoft Word document.  The attacker needs to persuade a victim/target to open or preview a specific Word document like via phishing email with the doc as attachment or a web link.

The attacker can gain Remote Code Execution in the target system with the privileges of the victim.

Applicable Versions

All platforms using Microsoft Word, Microsoft Office and SharePoint Enterprise Server 2013.

This vulnerability affects at least the following versions of Microsoft Office:

  • Microsoft Office 365 (Insider Preview – 2211 Build 15831.20122 CTR)
  • Microsoft Office 2016 (Including Insider Slow – 1704 Build 8067.2032 CTR)
  • Microsoft Office 2013
  • Microsoft Office 2010
  • Microsoft Office 2007

Mitigations and Workarounds

The solution to fix this issue is to apply the Microsoft security update released on February 14, 2023 (Tuesday).

The immediate workarounds available are:

  1. Users should read email messages in plain text format.
  2. Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.
  3. Modify Registries (not recommended) at your own risk as given in workaround section of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

Best Practices

Be very careful in opening email attachments, especially from unknown senders.

It is advisable to run vulnerability scanning like that available with Netsurion Vulnerability Management.

Netsurion Detection and Response

Netsurion’s Vulnerability Management signature database has been updated to detect CVE-2023-21716. Our Security Operations Center (SOC) will detect and report CVE-2023-21716 vulnerability to our customers and partners who subscribe to Netsurion Vulnerability Management.

Contact your Netsurion Account Manager with any questions.
 

References:

Cybersecurity Updates
Latest Advisory Alerts

Palo Alto PAN-OS Command Injection Vulnerability

D-Link NAS Command Injection Vulnerability

VMware ESXi, Workstation, and Fusion Vulnerabilities

Latest Data Source Integrations

AWS Key Management Service (KMS)

Have I Been Pwned

SentinelOne

Latest Enhancements

Netsurion Open XDR Now Supports PCI DSS 4.0

Extended Data Source Integrations and Alerts Released for Essentials

Enriched Application Control in Open XDR 9.4