Hidden threats in files are a constant danger for companies doing business, which has again been highlighted with the announcement by Microsoft of a critical vulnerability. In the announced vulnerability CVE-2023-21716, researchers demonstrated via a proof of concept (PoC) the ability to escalate code embedded in an RTF file with the same privilege as the user who opened it.
A code execution vulnerability sets the stage for a wide variety of attacks with minimal effort by an attacker. This is why the exposure was given a CVE score of 9.8. This score indicates a combination of the ease of implementing the attack and its significant impact when executed.
This blog will explore the challenges of handling this vulnerability and how they can be overcome.
What it does
The threat of this vulnerability has been known for some time. It was initially announced in November of 2022 by security researcher Joshua Drake. In this announcement, he highlighted how the corruption of the font table in RTF files could lead to heap corruption, allowing arbitrary code execution. As he outlined a proof of concept in his announcement email, it is only a matter of time before a full-blown attack leveraging this vulnerability makes its way into circulation.
Previous vulnerabilities like this are still commonly used, even after a formal patch has been issued, as many organizations are slow with patch management. An example is the Microsoft Excel Equation Editor vulnerability which is still used by APT groups as a vector for malicious payloads as it is so reliable to execute. The similarities between this and the newly announced RTF vulnerability imply that a similar level of prolonged abuse could occur.
The threat of this vulnerability is amplified by how easy it is to execute. All it takes is an individual opening a file to exploit the vulnerability and run the embedded code. Microsoft noted in the threat announcement that the preview pane can even be used as an attack vector, highlighting how easy it is for companies to fall victim to this attack.
Workarounds Only Add Concerns
Microsoft has some solutions to mitigate the threat, but none are simple to implement and effective for maintaining normal business operations. The first and simplest of these solutions is to convert emails to being read in only plaintext mode. While this will eliminate the risk, it also removes all images and formatting in the email. Removing this content eliminates a significant quantity of essential information, reducing the effectiveness of emails for sharing information.
Alternatively, they recommend that organizations add a file block policy that prevents opening TF documents of unknown or untrusted origins. While this appears to be a relevant solution at first, it can potentially stop RTFs from being opened.
The final solution offered by Microsoft is to make a registry fix to stop the problem. This may be viable for larger organizations that can push the registry key via a GPO. Still, it does not scale well for smaller organizations that may have to push the fix manually or for individual users. Complicating this further is that mistakes in fixing the registry can have significant consequences, up to and including requiring a reinstallation of the OS. Even if this fix is applied correctly, it also has the potential to make RTFs unusable.
CDR Stops Hidden Threats
Rather than dealing with complicated fixes or the loss of functionality in files, there is a solution. Content Disarm and Reconstruction (CDR) eliminates the problem of hidden threats in files. Using CDR, files are rebuilt from known-safe components, eliminating all areas where malicious code could lurk and ensuring that files are sanitized of threats and safe to access.
No Loss of Functionality
Maintaining file fidelity is crucial to business operations as it allows users to continue working with their files as usual without disrupting their business processes. Alterations to file types or content, such as removing formatting, macros, images, or layers, eliminate the context of the presented data.
Preserving file format and functionality is crucial because many file types have specific features and capabilities essential for their intended use. For example, a Microsoft Word document may contain macros that automate repetitive tasks or complex calculations. The document may become unusable or lose necessary functionality if these macros are removed or altered. Similarly, a PDF file may contain interactive elements such as forms or multimedia content critical to its intended purpose.
Missing any of this information can lead to the misrepresentation of data or the inability to fully view and modify the contents, making the files less functional and interrupting business operations. The most advanced CDR solutions are able to deliver files back in the same format with all existing formatting and functionality in place without the risk of hidden threats in the file.
The other secret for stopping hidden embedded threats in files is ensuring that protection happens for all content without user intervention. Any solution that requires user actions to make it happen is prone to failure as users either get too busy to take the steps, forget, or become lazy in following processes. The most mature CDR solutions eliminate this by delivering the solution via an API to which different applications and services can connect. Such as having all email traffic flowing through the API and sanitizing content as it arrives.
Using this model allows for a Zero Trust methodology for sanitization. Rather than selectively identifying threats and mitigating them as detected, all files, regardless of type or origin, are sanitized as they arrive. This eliminates the risk of end-users skipping the process and guarantees that all content is cleansed of threats every time.
Votiro Stops Hidden Threats
Votiro specializes in Content Disarm and Reconstruction (CDR) and has established itself as a leader in the field. Votiro focuses solely on delivering top-quality CDR solutions rather than offering CDR as an ancillary feature among a suite of tools. Our mature CDR model provides a proven return on investment and effectively protects customers against hidden threats. Votiro’s dynamic scaling enables customers to scale up or down, processing bandwidth as needed, ensuring their file processing volume requirements are met at any time.
Votiro’s CDR protection is built on an API-centric solution that seamlessly integrates into existing business workflows, enabling organizations to enjoy immediate protection against cyber threats. Implementation times are impressively short, with SaaS installations taking as little as 10 minutes and on-premises installations taking just 90 minutes.
Contact us today to learn more about Votiro sets the bar for preventing hidden threats in files so that your employees and systems can be secure while maintaining productivity.