< Back to Blog

Mitigating the CVE-2023-21716 Vulnerability: Challenges and Solutions

June 29, 2023

Hidden threats in files are a constant danger for companies doing business, which has again been highlighted with the announcement by Microsoft of a critical vulnerability. In the announced vulnerability CVE-2023-21716, researchers demonstrated via a proof of concept (PoC) the ability to escalate code embedded in an RTF file with the same privilege as the user who opened it. 

A code execution vulnerability sets the stage for a wide variety of attacks with minimal effort by an attacker. This is why the exposure was given a CVSS score of 9.8. This score indicates a combination of the ease of implementing the attack and its significant impact when executed. 

This blog will explore the challenges of handling this vulnerability and how they can be overcome. 

Understanding How CVE-2023-21716 Works

The threat of this vulnerability has been known for some time. It was initially announced in November of 2022 by security researcher Joshua Drake. In this announcement, he highlighted how the corruption of the font table in RTF files could lead to heap corruption, allowing arbitrary code execution. As he outlined a proof of concept in his announcement email, it is only a matter of time before a full-blown attack leveraging this vulnerability makes its way into circulation. 

Previous vulnerabilities like this are still commonly used, even after a formal patch has been issued, as many organizations are slow with patch management. An example is the Microsoft Excel Equation Editor vulnerability which is still used by APT groups as a vector for malicious payloads as it is so reliable to execute. The similarities between this and the newly announced RTF vulnerability imply that a similar level of prolonged abuse could occur. 

The threat of this vulnerability is amplified by how easy it is to execute. All it takes is an individual opening a file to exploit the vulnerability and run the embedded code. Microsoft noted in the threat announcement that the preview pane can even be used as an attack vector, highlighting how easy it is for companies to fall victim to this attack. 

Why CVE-2023-21716 is Still a Concern

Not every organization is able to stop on a dime and patch its infrastructure. With challenges in staffing, companies find that patching lags behind. Surveys have shown that 61% of organizations lag behind on patching in lieu of other priorities. 

This problem is amplified for highly regulated industries, such as military, medical, or manufacturing, which often have slow change management processes where patches and similar changes are thoroughly vetted before being applied. This vetting process is in place to ensure that the fixes do not introduce unintended problems that could result in data exposures. 

Along with this, patching often requires stopping and restarting applications or even a full system reboot. For mission-critical systems, this process necessitates planned outages with time built in to account for the risks of an application no longer working or a system not coming back properly from a reboot. As easy as it is to say, just patch it, the actual process may be more complex. 

Workarounds Only Add Concerns

Microsoft has some solutions to mitigate the threat, but none are simple to implement and effective for maintaining normal business operations. The first and simplest of these solutions is to convert emails to being read in only plaintext mode. While this will eliminate the risk, it also removes all images and formatting in the email. Removing this content eliminates a significant quantity of essential information, reducing the effectiveness of emails for sharing information. 

Alternatively, they recommend that organizations add a file block policy that prevents opening TF documents of unknown or untrusted origins. While this appears to be a relevant solution at first, it can potentially stop RTFs from being opened. 

The final solution offered by Microsoft is to make a registry fix to stop the problem. This may be viable for larger organizations that can push the registry key via a GPO (Group Policy Object). Still, it does not scale well for smaller organizations that may have to push the fix manually or for individual users. Complicating this further is that mistakes in fixing the registry can have significant consequences, up to and including requiring a reinstallation of the OS. Even if this fix is applied correctly, it also has the potential to make RTFs unusable

CDR Stops Hidden Threats

Rather than dealing with complicated fixes or the loss of functionality in files, there is a solution. Content Disarm and Reconstruction (CDR) eliminates the problem of hidden threats in files. Using CDR, files are rebuilt from known-safe components, eliminating all areas where malicious code could lurk and ensuring that files are sanitized of threats and safe to access. 

No Loss of Functionality

Maintaining file fidelity is crucial to business operations as it allows users to continue working with their files as usual without disrupting their business processes. Alterations to file types or content, such as removing formatting, macros, images, or layers, eliminate the context of the presented data. 

Preserving file format and functionality is crucial because many file types have specific features and capabilities essential for their intended use. For example, a Microsoft Word document may contain macros that automate repetitive tasks or complex calculations. The document may become unusable or lose necessary functionality if these macros are removed or altered. Similarly, a PDF file may contain interactive elements such as forms or multimedia content critical to its intended purpose. 

Missing any of this information can lead to the misrepresentation of data or the inability to fully view and modify the contents, making the files less functional and interrupting business operations. The most advanced CDR solutions are able to deliver files back in the same format with all existing formatting and functionality in place without the risk of hidden threats in the file. 

Continuous Protection

The other secret for stopping hidden embedded threats in files is ensuring that protection happens for all content without user intervention. Any solution that requires user actions to make it happen is prone to failure as users either get too busy to take the steps, forget, or become lazy in following processes. The most mature CDR solutions eliminate this by delivering the solution via an API to which different applications and services can connect. Such as having all email traffic flowing through the API and sanitizing content as it arrives.

This model allows for a Zero Trust methodology for sanitization using a combined effort to detect, disarm, and analyze. First off, all files can be scanned for known hidden threats using traditional antivirus (AV). As this is not a guaranteed solution, this is where CDR comes into play: sanitizing files regardless of origin when they arrive, disarming and rebuilding into safe and useable files from their known safe components. This eliminates the risk of end-users skipping the process and guarantees that all content is cleansed of threats every time, which is validated by detailed analysis, including AV signatures that recursively list the zero-day threats originally eliminated by CDR.

Votiro Stops Hidden Threats

Votiro specializes in Content Disarm and Reconstruction (CDR) and has established itself as a leader in the field. Votiro focuses solely on delivering top-quality CDR solutions rather than offering CDR as an ancillary feature among a suite of tools. Our mature CDR solution provides a proven return on investment while providing instant value, and protects customers against hidden threats. Votiro’s dynamic scaling enables customers to scale up or down processing bandwidth as needed, ensuring their requirements are met at any time.

Votiro’s CDR protection is built on an API-centric solution that seamlessly integrates into existing business workflows, enabling organizations to enjoy immediate protection against cyber threats. Implementation times are impressively short, with SaaS installations taking as little as 10 minutes and on-premises installations taking just 90 minutes.

Contact us today to learn how Votiro sets the bar when it comes to preventing hidden threats in files so that your employees and systems remain secure while maintaining productivity. And if you’re ready to try Votiro for yourself, start today with a free 30-day trial.