Edit 1: Microsoft has released an update for Microsoft Office, providing enhanced security as a defense in depth measure. Further, Microsoft has also stated that installing this update will prevent the attack chain leading to CVE-2023-36884.
As per reports, CVE-2023-36884 is a zero day affecting Microsoft Office and Windows. Assigned a CVSS 3.1 score (base score metrics) of 8.3, this vulnerability is being actively exploited and the proof of concept (POC) has been publicly disclosed.
MSRC states, "An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."
Microsoft has also stated that they are aware of the targeted attacks on organizations being performed by leveraging this vulnerability.
So far, no security updates (or patches) have been released to mitigate the vulnerability. However, Microsoft has listed out manual mitigation methods to secure the systems from being exploited:
1) Usage of Microsoft Defender for Office can prevent this vulnerability from being exploited via attachments.
2) Blocking all Office applications from creating child processes can also prevent the vulnerability from being exploited in the current attack chains.
3) For organizations who are unable to use the above-mentioned protections, Microsoft has listed modifying Registry Settings as the ultimate option:
"Organizations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.
Add the following application names to this registry key as values of type REG_DWORD with data 1.:"
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
Powerpnt.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe
The mitigation steps suggested by Microsoft have been added to a script that can be downloaded from the ManageEngine website. Users can deploy this script to the required systems to prevent exploitation.
The above-mentioned mitigation step can be deployed to the systems seamlessly via a patch, right from the Patch Manager Plus console.
1) Navigate to Patches > Supported Patches
2) Search for the Patch ID 110664
Patch ID | 110664 |
Patch Description | Mitigations for Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) |
3) Select the patch and deploy it to the required systems in the network
The configuration will be created automatically and applied to the systems.
Note: