Proof-of-concept for patched severe vulnerability in Word appears online

A security researcher has posted a proof-of-concept online of a remote code execution bug in Microsoft Word. It has now been patched. Attackers could exploit the vulnerability to cause damage.

The security researcher who found the vulnerability last year now has one working exploit from put online. It fits completely in a tweet. The researcher says that with that piece of code it is possible to cause heap corruption by loading a large number of fonts. The bug is in Microsoft Word’s RTF parser, wwlib.dll.

According to Joshua Drake, attackers can exploit the bug remotely by sending an infected .RTF document to a victim. The recipient does not even have to open the message himself; the bug is already triggered when Word opens the document in preview. If the software then loads a font table containing a large number of fonts, memory corruption occurs. It is then possible to execute code on a machine with the same rights as the recipient. Therefore, if that is an admin, it can cause a lot of damage to the system. The code needed to cause that corruption is only small. Since Drake brought up the bug, he’s managed to make it even smaller.

Drake reported the bug to Microsoft in November. The company has the vulnerability, that code CVE-2023-21716 get fixed during the February Patch Tuesday. The proof-of-concept therefore does not apply to systems that have already been patched, but attackers can exploit it on unpatched systems. This is a serious vulnerability, which has a CVSS score of 9.8. This is mainly due to how serious the potential damage is and how easy it is to potentially exploit the bug.

Drake just shows that he can indeed cause an overflow via the vulnerability, but in the proof-of-concept he doesn’t actually run any code. It is therefore not clear whether the proof-of-concept can lead directly to an exploit.