Kevin BeaumontMar 6, 2023

Keep an eye on CVE-2023-21716 aka MS Word vulnerability from February 2023 in RTF files.

There's a public proof of concept: https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

Where it gets more interesting - you can embed RTF files in email, Microsoft Outlook renders them with no clicks, by just reading the email. There's a decent chance this could become problematic combination.. although not yet as the PoC is vague enough to require a clue to exploit. HT @fellows

#CVE202321716

Show threadKevin BeaumontMar 6, 2023
Good luck anybody enabling this mitigation in a corporate environment, lmao.
Show threadKevin BeaumontMar 7, 2023

I've been keeping an eye on #CVE202321716 (the MS Word RTF vuln) via #GossiMonitoring

The headline is, people are starting to experiment with it.

Show threadKevin BeaumontMar 8, 2023

Interestingly, the way to embed RTF into email so it directly renders in Outlook appears to be undocumented online.

Either my Google-fu is bad or nobody has actually documented it - you can still do it and Exchange Server still passes it inbound, they only filtered outbound.

I’m not documenting it btw.

Show threadKevin BeaumontApr 18, 2023
Haven't seen any working exploitation of #CVE202321716 at all - all just people reusing the crash POC, nobody made it to RCE.
Show threadKevin BeaumontJul 5, 2023

Four months later on CVE-2023-21716 - I still haven't seen a single in the wild document that reaches RCE for this, nor an RCE exploit.

#CVE202321716

Show threadThomas Griffiths
@GossiTheDog the perfect example of why CVSS should not be relied on for quantifying risk
Jul 5, 2023 at 9:54pmWeb