CVE-2023-21716

Обходное решение

Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.

Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Impact of Workaround. Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 922849 will be unable to open documents saved in the RTF format.

For Office 2013

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 2.

3. Set the OpenInProtectedView DWORD value to 0.

For Office 2016

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 2.

3. Set the OpenInProtectedView DWORD value to 0.

For Office 2019

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 2.

3. Set the OpenInProtectedView DWORD value to 0.

For Office 2021

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 2.

3. Set the OpenInProtectedView DWORD value to 0.

How to undo the workaround

For Office 2013

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 0.

3. Leave the OpenInProtectedView DWORD value set to 0.

For Office 2016

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 0.

3. Set the OpenInProtectedView DWORD value to 0.

For Office 2019

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 0.

3. Set the OpenInProtectedView DWORD value to 0.

For Office 2021

1. Run regedit.exe as Administrator and navigate to the following subkey:

   `[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`

2. Set the RtfFiles DWORD value to 0.

3. Set the OpenInProtectedView DWORD value to 0.

FAQ

What is the attack vector for this vulnerability?

An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file.

Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.

I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?

No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following:

• Cumulative update (ubersrv13). Note that this update also includes the *srvloc2013 update
• Both of the security updates (sts2013 AND *loc2013), which are the same updates as for Foundation Server 2013

Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.

I am running SharePoint Foundation 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Foundation 2013 Service Pack 1 ?

Yes, customers running SharePoint Foundation 2013 Service Pack 1 should install both of the security updates. The updates can be installed in any order.