This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A heap corruption bug in Microsoft Word's RTF parser (wwlib). π **Consequences**: Remote Code Execution (RCE).β¦
π οΈ **Root Cause**: CWE-190 (Integer Overflow or Wraparound). π§ **Flaw**: Improper handling of the RTF Font Table within the `wwlib` component leads to heap corruption when processing crafted documents.
Q3Who is affected? (Versions/Components)
π’ **Vendor**: Microsoft. π¦ **Affected Products**: Microsoft Office Online Server, Office 2019 for Mac, Microsoft 365 Apps (64-bit), SharePoint Enterprise Server 2016, and Office LTSC for Mac 2021.β¦
π» **Privileges**: Full system privileges of the logged-in user. π **Data**: Complete compromise. The CVSS score is **Critical (9.8)**: High impact on Confidentiality, Integrity, and Availability.β¦
β‘ **Threshold**: LOW. π§ **Auth**: None required for the attacker. π±οΈ **UI**: Victim just needs to **open** the malicious RTF attachment (email or other delivery). No complex config changes needed.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploit Status**: YES. π **PoCs Available**: Multiple public Proof-of-Concepts exist on GitHub (e.g., `FeatherStark`, `Xnuvers007`, `CKevens`). Wild exploitation is highly likely given the ease of delivery via email.
Q7How to self-check? (Features/Scanning)
π **Detection**: Use YARA rules (see `AmgdGocha` repo) to scan for malicious RTF files. π **Scanning**: Check for Office versions listed in Q3. Monitor for RTF file openings in email gateways.β¦
π‘οΈ **Workaround**: If patching is delayed: 1. Block RTF file attachments in email gateways. 2. Disable macro execution in Office. 3. Use Protected View for all Office documents. 4.β¦
π₯ **Priority**: CRITICAL. π **Urgency**: HIGH. With public PoCs and a CVSS of 9.8, this is an active threat. Patch immediately to prevent RCE via simple email attachments.