top of page

CVE-2023-36884: Microsoft Office Zero Day RCE

Updated: Aug 12, 2023

Why did the code go to therapy? Because it couldn't handle all the "stress"!

Introduction


Very recently, a zero-day vulnerability with the identifier CVE-2023-36884 surfaced, posing a severe threat to Microsoft Windows and Office products. Cyber attackers have already initiated targeted attacks against government and defense organizations in Europe and North America, making it a matter of utmost concern for the security community.

CVE-2023-36884: Everything you need to know
CVE-2023-36884: Everything you need to know

The vulnerability, unveiled by Microsoft on July 11, allows malicious actors to execute remote code on the victim's computer by crafting a specially designed Microsoft Office document. For the exploit to succeed, the unsuspecting victim must open the malicious file.


How is the CVE-2023-36884 vulnerability exploited?


In recent revelations, Microsoft has disclosed that the zero-day vulnerability, CVE-2023-36884, has been actively exploited by a threat actor named Storm-0978, also known as RomCom. This actor has been involved in targeted attacks against defense and government organizations in Europe and North America. The exploitation campaign has employed a sophisticated technique wherein Microsoft Word documents were weaponized to pose as information regarding the Ukrainian World Congress.


The specific targets of these attacks were guests set to participate in the upcoming NATO Summit. BlackBerry first documented these attacks on July 8, highlighting the threat's existence. Notably, the utilization of the zero-day vulnerability in these attacks was initially unknown, causing increased concern among security experts.

Microsoft Office and Windows HTML RCE Vulnerability


CVE-2023-36884 could be a severe security defencelessness as of late revealed in Microsoft Office and Windows HTML components. Categorized as a 'Remote Code Execution' risk, this abuse permits aggressors to execute harmful code remotely, bypassing standard framework securities. The helplessness misuses the dealing with Microsoft Office records, showing a noteworthy hazard to clients. Here's a point-by-point breakdown of the assault handle:

  • Made Report: The aggressor skilfully plans a tricky Microsoft Office archive, mainly designed to trigger misuse when opened by a clueless client.

  • The download of Pernicious Record: Upon opening the created record, an arrangement of activities is set in movement. The client unconsciously starts the download of a safe record.

  • Infusion of iFrame: The downloaded record contains a script that executes an iframe, surreptitiously presenting an inserted web page into the framework.

  • Noxious Payload: The iframe acts as a portal, encouraging the download and execution of an exceedingly malevolent payload. This payload is outlined to carry out the attacker's expected activities, possibly compromising the victim's framework.


The Impact of CVE-2023-36884:


At first glance, CVE-2023-36884 may appear as another security vulnerability amidst today's plethora of digital threats. However, delving deeper into its implications reveals the true extent of its danger - unauthorized execution of arbitrary code. This is not just any ordinary vulnerability; it is a potential gateway for attackers to take complete control of your system, unleashing devastating consequences.


Imagine the scenario: an attacker exploits this vulnerability to breach your system's defenses, but the true horror lies beyond this initial intrusion. The attacker gains the power to execute commands on your system, all without your knowledge or consent. It's like handing over the keys to your digital kingdom to a malicious intruder.

With this exploit, the attacker can practically commandeer your entire system, enabling unfettered access to your data. This unauthorized manipulation of your precious information severely threatens your privacy and confidentiality. Furthermore, the attacker can go even further by executing malicious commands, potentially causing irreparable damage to your system, applications, and files.

The impact of CVE-2023-36884 goes far beyond the typical security vulnerability. It opens the door to a realm where attackers wield control over your digital life, bypassing conventional barriers and defenses. The consequences of such an intrusion can be catastrophic for individuals and organizations alike.


How to Mitigate CVE-2023-36884


Microsoft has released several mitigation techniques to reduce the attack surface and advises users to apply these measures until an official patch is available. Additionally, Microsoft highlights that its Defender product can prevent the execution of Office documents containing the exploit. Utilizing the Defender service protects users from the current vulnerability and safeguards against future attacks.


Another effective strategy is implementing the "Block all Office applications from creating child processes" Attack Surface Reduction Rule to prevent exploitation attempts proactively. If the above measures cannot be implemented, users have the option to make specific registry changes:

By adding the application names (Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe) to the registry key:


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION 

As values of type REG_DWORD with data 1, users can enhance their protection against the vulnerability.

It is essential to be aware that while these mitigation settings can effectively reduce the risk of exploitation, they may also impact regular functionality for specific use cases related to the mentioned applications. Testing changes in a controlled environment before implementing them at scale is highly advised to ensure smooth and secure operations. This helps to identify any potential negative impact on day-to-day operations and address them before deploying the differences across the organization.

Microsoft apps image

In our GitHub repository here, we provide comprehensive guides on detecting and mitigating vulnerability using PowerShell scripts. With the detection script, users can identify if their systems are susceptible to the vulnerability. On the other hand, the mitigation script offers an effective solution to safeguard systems from potential exploitation. By following the step-by-step instructions outlined in the repository, users can proactively assess their systems' security and take necessary actions to protect against any potential threats the vulnerability poses.

CVE-2023-36884 Vulnerability Exploit Demo





Stay vigilant against the CVE-2023-36884 Microsoft vulnerability. Utilize provided mitigation techniques and detection scripts from our GitHub repo to enhance your system's security. Protect your data and stay one step ahead of potential threats.


References:

 

Register for instructor-led online courses today!


Check out our free programs!


Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.

1,261 views

Recent Posts

See All

Comments


bottom of page