On July 11, 2023, Microsoft published a critical vulnerability (CVE-2023-36884) in Office and Windows HTML and also released a patch with 132 vulnerabilities, including 6 actively exploited and 37 categorized as Remote Code Execution (RCE) zero-day vulnerabilities.
Before understanding this CVE-2023-36884, we will check about Remote code Execution vulnerability. Remote Code Execution (RCE) can have significant impacts on systems and networks. When successfully exploited, RCE vulnerabilities allow attackers to execute arbitrary code on a targeted system remotely.
Attackers are actively exploiting this vulnerability by using specially crafted Microsoft Office documents. It is important to note that for the exploit to occur, the user needs to open the malicious document. This vulnerability poses a significant threat as it can be leveraged through various attack vectors, including phishing emails.
Below image shows for sample phishing campaign targeting defense and government organizations: -
Recommendation For CVE-2023-36884:
Microsoft team recommends the following mitigations to minimize the impact of activities associated with Storm-0978's operations:
- Activate cloud-delivered protection in your antivirus software to block evolving attacker tools. Cloud-based machine learning defends against new and unknown variants effectively.
- Enable EDR in block mode to proactively block malicious artifacts with Microsoft Defender for Endpoint, even when non-Microsoft antivirus fails or when Microsoft Defender Antivirus is in passive mode. EDR in block mode swiftly remediates post-breach detections.
- Maintain up-to-date systems with regular security patching and updates from Microsoft.
- Regularly backup critical data and systems for effective disaster recovery.
- Implement a restriction to disable child process generation in all Office applications.
- For organizations unable to implement the aforementioned protective measures, configuring the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key can provide mitigation against exploitation. However, it is crucial to be aware that these registry settings may affect the normal functionality of certain applications in specific scenarios.
- To prevent cross-protocol file navigation in the mentioned applications, add the following application names as REG_DWORD values to the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" with a data value of 1:
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
References:
Contributed by Manab Jyoti Dowarah
0 Comments