CVE-2023-36884 Office and Windows HTML RCE Vulnerability
Description
CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-07-11
- Author: Michael Haag, Splunk
- ID: dd7fb691-63d6-47ad-9a7f-1b9005cefad2
Narrative
CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch.
An attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim’s machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access.
Currently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency.
In the meantime, users of Microsoft Defender for Office and those utilizing the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing.
For users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as “1”. This action aims to mitigate the risk until a permanent fix is available.
The disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google’s Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.
Detections
Reference
- https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
- https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/
- https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
source | version: 1