Expert released PoC exploit code for critical Microsoft Word RCE flaw

Security researcher released a proof-of-concept exploit code for a critical flaw, tracked as CVE-2023-21716, in Microsoft Word.

Security researcher Joshua Drake released a proof-of-concept for a critical vulnerability, tracked as CVE-2023-21716 (CVSS score 9.8 out of 10), in Microsoft Word.

The vulnerability can be exploited by a remote attacker to execute arbitrary code on a system running the vulnerable software. The issue can be easily exploited, anyway, it can be exploited only with user interaction.

Microsoft addressed the vulnerability with the release of the February Patch Tuesday security updates.

The vulnerability was discovered by Drake in November, it resides in the in Microsoft Office’s “wwlib.dll” library.

“An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file.” reads the advisory published by Microsoft.

The vulnerability can be also be exploited by simply loading a specially crafted RTF document in the Preview Pane.

Drake discovered a heap corruption vulnerability in the RTF parser in Microsoft Word that can be triggered dealing with a font table (*\fonttbl*) containing a large number of fonts (*\f###*).

“Following this memory corruption, additional processing takes place. With a properly crafted heap layout, an attacker cause the heap corruption to yield arbitrary code execution. Using the proof-of-concept code supplied below, processing eventually reaches the post-processing clean up code.” reads the technical post published by the researchers.

The researchers shared a proof-of-concept code that trigger the bug to launch the Calculator app in Windows.

The good news is that at this time Microsoft is not aware of attacks in the wild exploiting this vulnerability.

Microsoft also provided workarounds to protect against this vulnerability, the IT giant recommends users to read email messages in plain text format.

Microsoft also recommends to use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Word)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.