A critical vulnerability patched in Microsoft’s February 2023 Patch Tuesday update now has proof of concept (PoC) exploit code. CVE-2023-21716 is a critical, 9.8/10 CVSSv3.1 score vulnerability in Microsoft Office’s wwlib.dll that allows a simple attack to remotely execute code on a target computer.
Malicious files can be sent to victims (or via other social engineering attacks) and the attack can be initiated just by loading the file preview, so users don’t even need to open the file to be attacked.
Exploitation of CVE-2023-21716
There are no reports of exploitation in the wild yet, and Microsoft also notes that the vulnerability is “less likely to be exploited.” Word and other Office applications have historically been attractive targets, though, so it’s a good idea to move forward with patching. Microsoft 365 apps, SharePoint, and others are affected by the vulnerability and should be patched within the week to avoid exploitation. Check out the full list of affected applications in Microsoft’s update guide here.
Microsoft also offers workarounds if patching quickly isn’t possible, though they require editing registry keys, which can cause headaches if used or modified incorrectly, so proceed with caution. Using registry keys, you can use Outlook to reduce the risk of users opening potentially malicious RTF files from unknown or untrusted sources. For full details on the registry edits needed, check out Microsoft’s advisory.