Introducing OPSWAT Threat Intelligence Similarity Search Learn More

CVE-2023-21716: Malicious RTF File Protection with Content Disarm and Reconstruction

Overview of CVE-2023-21716—Microsoft Word RTF Font Table Heap Corruption

Microsoft recently issued a security advisory describing CVE-2023-21716, a critical Remote Code Execution (RCE) vulnerability affecting several versions of Office, SharePoint, and 365 Applications.

This vulnerability is triggered by a heap corruption vulnerability in the Rich Text Format (RTF) parser of Microsoft Word when processing a font table (fonttbl) containing an excessive number of fonts (f###). It can be exploited by an attacker by sending a malicious email or uploading file containing RTF payload and enticing the user to open the file.

When the victim opens the malicious file, the attacker gains access to execute arbitrary code within the application used to open the file. Even the preview pane can also be used to launch an attack. As a result, this could lead to the installation of malware, theft of sensitive data, or other malicious activities.

The vulnerability has been given a CVSS score of 9.8 (Critical) due to its high exploitability and minimal interaction required from the victim.

We scanned an RFT file containing malicious code using OPSWAT MetaDefender, and we observed that only 3 out of 21 antimalware engines detected the threat. As a result, an organization that relies on signature-based detection methods could potentially become vulnerable to attacks.

screenshot malicious RTF file malware analysis results

Vulnerability workarounds affects productivity

Microsoft published patches in the February 14, 2023, Patch Tuesday update. They recommend updating the affected products.

For users that cannot apply the fix, Microsoft suggests several workarounds to reduce the risk of users opening RTF Files from unknown or untrusted sources. However, the workarounds are neither easy to implement nor efficient in maintaining regular business activities.

  • Microsoft suggests reading emails in plain text format, which is unlikely to be adopted due to the lack of rich text and media. While this solution can eliminate the threat, it doesn't support displaying pictures, animations, bold or italic text, colored fonts, or other text formatting. This results in a substantial loss of crucial information in the email.
  • Another solution is to activate the Microsoft Office File Block policy, which restricts Office applications from opening RTF files that have unknown or untrusted origins. It is necessary to modify the Windows Registry to implement this method. However, caution is required, as improper use of the Registry Editor may cause significant problems that may require the operating system to be reinstalled. Moreover, if an "exempt directory" has not been designated, there is a possibility that users will be unable to open any RTF documents.

Stay secure without complicated workarounds or sacrificing usability

Instead of handling intricate solutions or sacrificing file usability, OPSWAT Deep CDR (Content Disarm and Reconstruction)) offers a remedy.

Deep CDR technology protects against advanced and zero-day threats. It identifies and removes malicious content from incoming files, such as email attachments or file uploads, while providing safe, usable files.

By removing all embedded objects in RTF files and reconstructing files from verified secure components, Deep CDR ensures the files are sanitized and secure for access, devoid of any potential threats.

Deep CDR process involves the following steps:

Diagram of Deep Content Disarm and Reconstruction process
Screenshot of Content Disarm and Reconstruction RTF file configuration options

CDR technology is highly effective at protecting against unknown and sophisticated threats, as it does not rely on detecting and blocking specific malware signatures.

OPSWAT Deep CDR enables administrators to configure the sanitization process for RFT files. To ensure that the output files are vulnerability-free, all RTF files undergo analysis to determine the number of fonts in their font tables. If the count exceeds a preconfigured limit, the font tables are eliminated from the files.

By default, font tables with more than 4096 fonts, a standard cap, are removed. However, this configuration can be customized to enable informed decision-making and to align with your specific use case.

Deep CDR provides in-depth views, listing the sanitized objects and actions taken—enabling you to make informed choices to define configurations that meet your use case. Below is the result of the malicious RTF file after being sanitized by Deep CDR. The embedded font was removed, which eliminated the attack vector. As a result, users can open the file without worrying about being compromised.

Screenshot of RTF file with embedded fonts removed

We can observe that the abnormal embedded font has been removed by opening both the original malicious RTF file and the sanitized version.

Image of side-by-side comparison of two RTF files. The left image displays a RTF file with malicious embedded font. Right image shows a sanitized file with no malicious embedded font.

Discover the best security solution to prevent zero-day and advanced evasive malware by learning more about OPSWAT Deep CDR and Multiscanning, or by consulting with an OPSWAT technical expert.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.