Overview
Recently, NSFOCUS CERT found the PoC that disclosed Microsoft Word remote execution code vulnerability (CVE-2023-21716) on the Internet. Because the RTF parser in Microsoft Word will trigger a heap corruption vulnerability when processing a font table (* fonttbl *) that contains too many fonts (* f # # # *), an attacker can exploit this vulnerability by sending a malicious email containing RTF payload, etc. When the user is successfully induced to open a crafted file on the affected system, an attacker without authentication can execute arbitrary code on the target system, The preview pane can also be used as an attack medium for this vulnerability. The CVSS score is 9.8. Please take measures to protect the affected users as soon as possible.
At present, researchers of NSFOCUS have successfully verified the availability of PoC:
Reference link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716
Scope of Impact
- Microsoft 365 Apps for Enterprise for 32-bit Systems
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft Office 2019 for 32-bit editions
- Microsoft Office 2019 for 64-bit editions
- Microsoft Office 2019 for Mac
- Microsoft Office LTSC 2021 for 32-bit editions
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Office LTSC for Mac 2021
- Microsoft Office Online Server
- Microsoft Office Web Apps Server 2013 Service Pack 1
- Microsoft SharePoint Enterprise Server 2013 Service Pack 1
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
- Microsoft Word 2013 RT Service Pack 1
- Microsoft Word 2013 Service Pack 1 (32-bit editions)
- Microsoft Word 2013 Service Pack 1 (64-bit editions)
- Microsoft Word 2016 (32-bit edition)
- Microsoft Word 2016 (64-bit edition)
- SharePoint Server Subscription Edition Language Pack
Mitigation
Official upgrade
At present, Microsoft has officially released a security patch to fix the vulnerability for the supported product version. It is recommended that the affected users open the system to automatically update and install the patch for protection.
Note: Due to network, device environment and other reasons, the patch update of Windows Update may fail. After installing the patch, users should check whether the patch is successfully updated. Right-click the Windows logo, select “Settings”, select “Update and Security” – “Windows Update” to view the prompt information on this page, or click “View Update History” to view the historical updates.
For the case that the update patch is not successfully installed, you can directly download the offline installation package to update it. The link is as follows: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716
Manual update
- Open an Office app and create a document.
- Click “File”>”Account”, and click “Update Options”>”Update Now” in the product information.
- To ensure that the Office app is updated successfully, please click “Update Now” again to check for updates. If the following content appears, it means that the app has been updated to the latest status.
Temporary mitigation
If the affected user cannot upgrade normally, the vulnerability can be circumvented by the following actions:
1. Use Microsoft Outlook to read e-mail in plain text to reduce the risk of users opening RTF files from unknown or untrusted sources. To configure Microsoft Outlook to read messages in plain text, refer to: https://support.microsoft.com/en-us/office/change-the-message-format-to-html-rich-text-format-or-plain-text-338a389d-11da-47fe-b693-cf41f792fefa?ui=en -us&rs=en-us&ad=us
2. Use the Microsoft Office file blocking policy to prevent Office from opening RTF documents from unknown or untrusted sources. It should be noted that users who have configured the file blocking policy but have not configured the special “exemption directory” will not be able to open documents saved in RTF format. See: https://learn.microsoft.com/en-us/office/troubleshoot/settings/file-blocked-in-office
Note: This method needs to modify the registry editor. If it is not used correctly, it will cause serious problems and may need to reinstall the operating system.
- Office 2013
1. Run regedit.exe as administrator and navigate to the following children:
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock] |
2. Set the RtfFiles DWORD value to 2.
3. Set the OpenInProtectedView DWORD value to 0.
- Office 2016/2019/2021
1. Run regedit.exe as administrator and navigate to the following:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock] |
2. Set the RtfFiles DWORD value to 2.
3. Set the OpenInProtectedView DWORD value to 0.
If you want to cancel the above mitigation measures, you can do the following:
- Office 2013
1. Run regedit.exe as administrator and navigate to the following children:
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock] |
2. Set the RtfFiles DWORD value to 0.
3. Set the OpenInProtectedView DWORD value to 0.
- Office 2016/2019/2021
1. Run regedit.exe as administrator and navigate to the following children:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock] |
2. Set the RtfFiles DWORD value to 0.
3. Set the OpenInProtectedView DWORD value to 0.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.