Edit 1: Microsoft has released an update for Microsoft Office, providing enhanced security as a defense in depth measure. Further, Microsoft has also stated that installing this update will prevent the attack chain leading to CVE-2023-36884. 

July 2023's Patch Tuesday has witnessed 5 zero days and 9 critical vulnerabilities. Among the zero days, CVE-2023-36884 - a Remote Code Execution vulnerability is making the headlines.

About the vulnerability 

As per reports, CVE-2023-36884 is a zero day affecting Microsoft Office and Windows. Assigned a CVSS 3.1 score (base score metrics) of 8.3, this vulnerability is being actively exploited and the proof of concept (POC) has been publicly disclosed.

MSRC states, "An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

Microsoft has also stated that they are aware of the targeted attacks on organizations being performed by leveraging this vulnerability.

Mitigation steps 

So far, no security updates (or patches) have been released to mitigate the vulnerability. However, Microsoft has listed out manual mitigation methods to secure the systems from being exploited:

1) Usage of Microsoft Defender for Office can prevent this vulnerability from being exploited via attachments.

2) Blocking all Office applications from creating child processes can also prevent the vulnerability from being exploited in the current attack chains.

3) For organizations who are unable to use the above-mentioned protections, Microsoft has listed modifying Registry Settings as the ultimate option:

"Organizations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

Add the following application names to this registry key as values of type REG_DWORD with data 1.:"

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

• Excel.exe

• Graph.exe

• MSAccess.exe

• MSPub.exe

• Powerpnt.exe

• Visio.exe

• WinProj.exe

• WinWord.exe

• Wordpad.exe
  

Mitigation using ManageEngine Endpoint Central

As of now, no security updates (patches) have been released by Microsoft to mitigate this vulnerability.

However, if you're an Endpoint Central user, you can seamlessly deploy the mitigation step suggested by Microsoft to the affected systems, from the product console.

 Note: Patches once released by the vendor would be added to this forum.