Expert released PoC exploit code for critical Microsoft Word RCE flaw

Security researcher released a proof-of-concept exploit code for a critical flaw, tracked as CVE-2023-21716, in Microsoft Word.

Security researcher Joshua Drake released a proof-of-concept for a critical vulnerability, tracked as CVE-2023-21716 (CVSS score 9.8 out of 10), in Microsoft Word.

The vulnerability can be exploited by a remote attacker to execute arbitrary code on a system running the vulnerable software. The issue can be easily exploited, anyway, it can be exploited only with user interaction.

Microsoft addressed the vulnerability with the release of the February Patch Tuesday security updates.

The vulnerability was discovered by Drake in November, it resides in the in Microsoft Office’s “wwlib.dll” library.

“An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file.” reads the advisory published by Microsoft.

The vulnerability can be also be exploited by simply loading a specially crafted RTF document in the Preview Pane.

Drake discovered a heap corruption vulnerability in the RTF parser in Microsoft Word that can be triggered dealing with a font table (*\fonttbl*) containing a large number of fonts (*\f###*).

“Following this memory corruption, additional processing takes place. With a properly crafted heap layout, an attacker cause the heap corruption to yield arbitrary code execution. Using the proof-of-concept code supplied below, processing eventually reaches the post-processing clean up code.” reads the technical post published by the researchers.

The researchers shared a proof-of-concept code that trigger the bug to launch the Calculator app in Windows.

The good news is that at this time Microsoft is not aware of attacks in the wild exploiting this vulnerability.

Microsoft also provided workarounds to protect against this vulnerability, the IT giant recommends users to read email messages in plain text format.

Microsoft also recommends to use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Word)