This malicious Word doc doesn't even have to be opened to infect your PC

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Last week, cybersecurity researcher Joshua Drake published a proof-of-concept for a vulnerability in Microsoft Word, detailing a way for threat actors to deliver malware without users ever needing to open a file.

The vulnerability is tracked as CVE-2023-21716. It’s been given a 9.8 severity score and deemed critical, as it allows for remote code execution.

BleepingComputer reported that Microsoft fixed it in the February Patch Tuesday cumulative update.

No evidence of abuse

Those that do not apply the patch risk having their endpoints compromised merely by loading a malicious .RTF document in the preview pane. 

As per Drake's report, the RTF parser in Microsoft Word carries a heap corruption flaw that can be activated “when dealing with a font table containing an excessive number of fonts.” What’s more, the vulnerability is relatively easy to write, as its entire code can fit in a single tweet. 

On the other hand, Microsoft reassured users that threat actors actually abusing the flaw is “less likely”, adding that there is no evidence this has happened in the wild. Truth be told, we can’t say for certain if Drake’s PoC can be weaponized or not, as they only showed the exploitation in theory. 

For those not interested in risking anything, the best way to stay protected is to apply Microsoft’s cumulative update published in the February Patch Tuesday. Those that can’t apply the fix for whatever reason should either read emails in plain text format, or enable the Microsoft Office File Block policy, which bans Office apps from opening RTF documents originating from untrusted sources. 

The latter requires a bit more skill, though, as the Windows Registry needs to be tweaked. Furthermore, “if you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system,” Microsoft cautions. 

Also, if you don’t set up an “exempt directory”, you might not be able to open any RTF document anymore.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.