Published: March 07, 2023
A vulnerability (CVE-2023-21716) in Microsoft’s Word wwwlib library allows attackers to get Remote Code Execution with the privileges of the victim when the victim opens a malicious RTF document.
An attacker could deliver this payload in several ways including as an attachment in spear-phishing attacks.
This is a heap corruption vulnerability which can be exploited by a malicious Microsoft Word document. The attacker needs to persuade a victim/target to open or preview a specific Word document like via phishing email with the doc as attachment or a web link.
The attacker can gain Remote Code Execution in the target system with the privileges of the victim.
All platforms using Microsoft Word, Microsoft Office and SharePoint Enterprise Server 2013.
This vulnerability affects at least the following versions of Microsoft Office:
- Microsoft Office 365 (Insider Preview – 2211 Build 15831.20122 CTR)
- Microsoft Office 2016 (Including Insider Slow – 1704 Build 8067.2032 CTR)
- Microsoft Office 2013
- Microsoft Office 2010
- Microsoft Office 2007
Mitigations and Workarounds
The solution to fix this issue is to apply the Microsoft security update released on February 14, 2023 (Tuesday).
The immediate workarounds available are:
- Users should read email messages in plain text format.
- Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.
- Modify Registries (not recommended) at your own risk as given in workaround section of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716
Be very careful in opening email attachments, especially from unknown senders.
It is advisable to run vulnerability scanning like that available with Netsurion Vulnerability Management.
Netsurion Detection and Response
Netsurion’s Vulnerability Management signature database has been updated to detect CVE-2023-21716. Our Security Operations Center (SOC) will detect and report CVE-2023-21716 vulnerability to our customers and partners who subscribe to Netsurion Vulnerability Management.
Contact your Netsurion Account Manager with any questions.