On 11 July 2023, Microsoft announced a zero-day vulnerability in the Office suite that is being actively exploited. The vulnerability was published under the number CVE-2023-36884 and given a CVSS score of 8.3 ("high") in terms of its criticality.
Facts
A remote attacker can achieve remote code execution. To do this, the victim simply needs to be tricked into opening a specially crafted Microsoft Office document. These documents inject malicious code that runs with the victim's privileges.
The vulnerability is already being exploited, in some cases by criminal gangs specialising in ransomware attacks and cyber extortion.
Measures
No patch is yet available for the vulnerability. Therefore, the following measures should be used to prevent the vulnerability from being exploited:
- Prohibit Microsoft Office applications from creating child processes via "Attack Surface Reduction (ASR)" rules
Registry-key
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetCreate Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATIONand set the followingDWORDvalues to 1- Excel.exe
- Graph.exe
- MSAccess.exe
- MsPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
- respectively activate the policy "Block all Office applications from creating child processes"
According to Microsoft, restrictions may occur in special usage scenarios after setting the registry values.
According to Microsoft, the use of Microsoft Defender for Office 365 and Microsoft 365 Apps (from version 2302) should already prevent exploitation of the vulnerability by prepared documents.