Critical threat in RTF files (CVE-202321716)
Microsoft recently announced a newly discovered vulnerability in RTF files that gives unauthenticated users access to remotely execute commands on host machines. An attacker could send a malicious e-mail containing an RTF payload that would allow execution of commands within the application that was used to open the malicious file. Another scenario would RTF files arriving through supply-chain file shares. The vulnerability is also exploitable through Windows preview pane.
This file-based threat is scored as ‘Critical’ by NIST, with a 9.8 Base Score, yet Microsoft assess the exploitation to be ‘less likely’ with no known exploits having been reported to date.
Microsoft recommends the following workarounds as partial mitigations:
- Configuring mail clients to open emails in text-only view
- Applying policies prohibiting the opening of RTF files from unknown or untrusted sources
- Updating Sharepoint server software.
Other options include implementation of incoming content-cleansing technologies such as Sasa Software’s GateScanner CDR line.
Sasa Software researchers evaluated this vulnerability in context of the Content Disarm and Reconstruction (CDR) file sanitization process applied by all GateScanner file-sanitization products, concluding that networks protected by GateScanner CDR technology are at zero-risk from this type of critical, file-based vulnerability.
GateScanner’s proprietary deep-scan and ‘transformation through reconstruction’ processes, eliminate the option of malicious payload delivery through RTF or any other file type among the 300+ supported by GateScanner technology.