Security researcher Joshua Drake reached out to Microsoft last year with a technical advisory POC showing that there was a vulnerability in Microsoft Office’s wwlib.dll. The vulnerability is tracked as CVE-2023-21716 and was labeled as critical with a score of 9.8 our of 10. Since Microsoft addressed these issues in their February Patch Tuesday, the researcher has now released their POC in the wild. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. To take it one step further, the document does not have to be fully opened, and an attack could start if the victim does as little as preview the document in their OutLook email client.
There is no indication that this attack is being carried out in the wild. Microsoft has addressed the issue with a patch but warned that there are other workarounds if needed. For anyone that cannot apply the fix for some reason, Microsoft recommends reading all emails in plain text. Another workaround is to enable the Microsoft Office File Block Policy, which prevents Office apps from opening RTF documents from unknown origins. To do this, the administrator must modify the Windows Registry. This last change must be done carefully as with any changes in Windows Registry; if done incorrectly, a Registry change could completely crash a machine.