This Cybersecurity Threat Advisory highlights a high-severity Microsoft Office and Windows HTML remote code execution vulnerability, CVE-2023-36884, with a base CVSS score of 8.3 has been discovered. Through this vulnerability attackers can execute arbitrary code on affected systems, leading to potential data breaches, unauthorized access, and system compromise. Microsoft has provided mitigation steps to protect against exploitation, including registry changes and utilizing Microsoft Defender for Microsoft Office.
What is the threat?
CVE-2023-36884 is a remote code execution vulnerability affecting Microsoft Office and Windows systems. Attackers can exploit this vulnerability by enticing users to open malicious files or documents containing HTML content to infect their system. The vulnerability stems from improper handling of certain objects in memory, enabling attackers to execute arbitrary code with the user’s privileges.
Why is it noteworthy?
This vulnerability is noteworthy because there are a wide range of users using Microsoft Office and Windows, making this vulnerability relevant to many users. A successful exploitation can lead to unauthorized access to sensitive data, system compromise, and the potential to create lateral or other attacks.
What is the exposure or risk?
Organizations using Microsoft Office and Windows systems are at risk of exploitation if CVE-2023-36884 is not promptly addressed. The risk is elevated for users with administrative privileges. Successful exploitation of this vulnerability can lead to data breaches, financial losses, and reputational damage.
What are the recommendations?
Barracuda MSP recommends the following actions to mitigate the risk posed by CVE-2023-36884:
- Apply Security Updates: Apply the latest security updates provided by Microsoft to address the vulnerability effectively.
- Utilize Microsoft Defender for Office: Organizations using Microsoft Defender for Office are protected against attachments attempting to exploit this vulnerability.
- Implement Attack Surface Reduction Rule: Deploy the “Block all Office applications from creating child processes” Attack Surface Reduction Rule to prevent exploitation within current attack chains.
- Implement Registry Changes: For those unable to use the above protections, consider adding specific application names to the mentioned registry key, limiting the vulnerability’s impact. However, be aware that these changes could affect regular functionality and should be tested before broad deployment.
- Test and Deploy Changes Cautiously: Ensure that any changes made, whether through security updates or registry modifications, are tested in controlled environments before deploying them widely to production systems.
References
For more in-depth information about the recommendations, please visit the following links:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
- https://www.ninjaone.com/blog/how-to-mitigate-cve-2023-36884-powershell/
- https://www.picussecurity.com/resource/blog/cve-2023-36884-a-detailed-look-at-the-recent-microsoft-vulnerability
- https://unit42.paloaltonetworks.com/cve-2023-36884-rce/
- https://www.tenable.com/blog/microsofts-july-2023-patch-Tuesday-addresses-130-cves-cve-2023-36884
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.
