К

.

А

.

А

S

I

T

E

.

A proof of concept for CVE-2023-21716, a critical RCE vulnerability in Microsoft Word, has surfaced online.

A proof of concept for CVE-2023-21716, a critical RCE vulnerability in Microsoft Word, has surfaced online.

A proof of concept under CVE-2023-21716 (https: //msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716), critical RCE vulnerability in Microsoft Word. It received 9.8 out of 10 for the simplicity of the attack: no privileges, no advanced phishing — the user only needs to download the malware in the email attachment preview. A bug in the RTF parser for heap corruption when working with a font table containing an excessive number of them, and it was fixed in the February patch from Microsoft.

There have not yet been examples of using the exploit in the network wilds, but with the publication of PoC, the chances of attacks increase dramatically. A similar vulnerability in Microsoft Excel Equation Editor was fixed back in 2017, but it still exists (https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake -keylogger-malware/) is used by attackers. Moreover, not only the attack is distinguished by simplicity, but also the proof of concept itself: initially a little more than 12 lines with comments, now it fits in a tweet. This is what I understand, efficient code.