[Updates released] [Zero-day] CVE-2023-36884 being targeted in the wild. No patches released yet.

Edit 1: Microsoft has released an update for Microsoft Office, providing enhanced security as a defense in depth measure. Further, Microsoft has also stated that installing this update will prevent the attack chain leading to CVE-2023-36884.

More details can be found in ADV230003.

The mitigation steps previously mentioned below have now been removed from Microsoft's official advisory.

July 2023's Patch Tuesday has witnessed 5 zero days and 9 critical vulnerabilities. Among the zero days, CVE-2023-36884 - a Remote Code Execution vulnerability is making the headlines.

About the vulnerability

As per reports, CVE-2023-36884 is a zero day affecting Microsoft Office and Windows. Assigned a CVSS 3.1 score (base score metrics) of 8.3, this vulnerability is being actively exploited and the proof of concept (POC) has been publicly disclosed.

MSRC states, "An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

Microsoft has also stated that they are aware of the targeted attacks on organizations being performed by leveraging this vulnerability.

Mitigation steps

So far, no security updates (or patches) have been released to mitigate the vulnerability. However, Microsoft has listed out manual mitigation methods to secure the systems from being exploited:

1) Usage of Microsoft Defender for Office can prevent this vulnerability from being exploited via attachments.

2) Blocking all Office applications from creating child processes can also prevent the vulnerability from being exploited in the current attack chains.

3) For organizations who are unable to use the above-mentioned protections, Microsoft has listed modifying Registry Settings as the ultimate option:

"Organizations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

Add the following application names to this registry key as values of type REG_DWORD with data 1.:"

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Excel.exe

Graph.exe

MSAccess.exe

MSPub.exe

Powerpnt.exe

Visio.exe

WinProj.exe

WinWord.exe

Wordpad.exe

The mitigation steps suggested by Microsoft have been added to a script that can be downloaded from the ManageEngine website. Users can deploy this script to the required systems to prevent exploitation.

Note:

1) If the above-mentioned registry keys are not available in the systems, the vulnerability will automatically be detected in the systems. (Navigate to Threats > Zero-day Vulnerabilities on the product console.)

2) If you've already followed the Mitigation step 1 or 2, kindly exlude the detected vulnerability from the systems.