Proof-of-concept for patched serious vulnerability in Word appears online

A security researcher has posted a proof-of-concept online of a remote code execution bug in Microsoft Word. That has now been patched. Attackers could exploit the vulnerability to cause damage.

The security researcher who found the vulnerability last year now has one working exploit of posted online. That fits completely in a tweet. The researcher says that with that piece of code it is possible to cause heap corruption by loading a large number of fonts. The bug is in Microsoft Word’s RTF parser, wwlib.dll.

According to Joshua Drake, attackers can exploit the bug remotely by sending an infected .RTF document to a victim. The recipient does not even have to open the message themselves; the bug is already triggered when Word opens the document in preview. If the software then loads a font table containing a large number of fonts, memory corruption occurs. It is then possible to execute code on a machine with the same rights as the recipient. If that is an admin, a lot of damage can occur to the system. The code needed to cause that corruption is small. Since Drake introduced the bug, he has managed to make it even smaller.

Drake reported the bug to Microsoft in November. The company has the vulnerability, that code CVE-2023-21716 received, fixed during February’s Patch Tuesday. The proof-of-concept therefore does not apply to systems that have already been patched, but attackers can exploit it on unpatched systems. This is a serious vulnerability, which receives a CVSS score of 9.8. This is mainly due to how serious the potential damage is and how easy it is to potentially exploit the bug.

Drake only shows that he can indeed cause an overflow via the vulnerability, but in the proof-of-concept he does not execute any actual code. It is therefore not clear whether the proof-of-concept can directly lead to an exploit.