A new Microsoft Word vulnerability, CVE-2023-36761, was disclosed by Microsoft. This new vulnerability is rated 5.3 by NIST, a medium-level vulnerability but Microsoft has rated this as “Important”. Barracuda MSP recommends reviewing this Cybersecurity Threat Advisory in detail and follow the recommendations below.
What is the threat?
CVE-2023-36761 is an information disclosure vulnerability that has been exploited in the wild as a zero-day vulnerability. It has been publicly disclosed prior to a patch being available. Successful exploitation of this flaw would allow for the disclosure of New Technology LAN Manager (NTLM) hashes, which could be abused in NTLM relay or pass-the-hash attacks to further an attacker’s foothold in an organization. Microsoft has confirmed that the preview pane is an attack vector, meaning that simply previewing a specially crafted file can cause the exploit to trigger.
Why is it noteworthy?
CVE-2023-36761 has been mentioned at least once in a post with ransomware related content. As well as having at least one reported exploit in the wild, and it was mentioned at least once in a post with APT related content. This is the second zero-day vulnerability disclosed this year that could result in the disclosure of NTLM hashes.
What is the exposure or risk?
CVE-2023-36761 has been noted by the exploit prediction scoring system (EPSS) that the probability of exploitation in the next 30 days is as high as 57 percent. Since the preview pane is also an attack vector, it can put many electronic devices at risk.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of CVE-2023-36761:
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- Install Microsoft’s security update for Word 2016: KB5002497.
- Frequently download the latest Microsoft security patches and updates.
For more in-depth information about the recommendations, please visit the following links:
- NVD – CVE-2023-36761 (nist.gov)
- CVE-2023-36761 – Security Update Guide – Microsoft – Microsoft Word Information Disclosure Vulnerability
- CVE Record | CVE
- Microsoft Office: CVE-2023-36761: Microsoft Word Information Disclosure Vulnerability (rapid7.com)
- Description of the security update for Word 2016: September 12, 2023 (KB5002497) – Microsoft Support
- CVE-2023-36761 | AttackerKB
- CVE-2023-36761 : Microsoft Word Information Disclosure Vulnerability (cvedetails.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.