Unpatched Microsoft Office Zero Day Being Actively Exploited

Back to Giveaway of the Day

Giveaway of the Day Forums » General discussion

Unpatched Microsoft Office Zero Day Being Actively Exploited

(1 post) (1 voice)

Started 1 year ago by mikiem2

mikiem2
Moderator

bleepingcomputer[.]com/news/security/microsoft-unpatched-office-zero-day-exploited-in-nato-summit-attacks/

Microsoft disclosed today an unpatched zero-day security bug in multiple Windows and Office products exploited in the wild to gain remote code execution via malicious Office documents.

Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in high-complexity attacks requiring user interaction.

Successful exploitation could lead to a total loss of confidentiality, availability, and integrity, allowing the attackers to access sensitive information, turn off system protection, and deny access to the compromised system.

Until CVE-2023-36884 patches are available, Microsoft says customers using Defender for Office and those who have enabled the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected against phishing attacks attempting to exploit the bug.

Those not using these protections can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1:

Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
PowerPoint.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe

However, it's important to note that setting this registry key to block exploitation attempts, may also impact some Microsoft Office functionality linked to the applications listed above.

To add the registry entries more easily, copy/paste the following in a new text doc in Notepad, save it, rename it [SomeName].reg, then double click the file to merge it with the registry.

------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]
"Excel.exe"=dword:00000001
"Graph.exe"=dword:00000001
"MSAccess.exe"=dword:00000001
"MSPub.exe"=dword:00000001
"PowerPoint.exe"=dword:00000001
"Visio.exe"=dword:00000001
"WinProj.exe"=dword:00000001
"WinWord.exe"=dword:00000001
"Wordpad.exe"=dword:00000001

------------------

And to later undo these entries if necessary:

--------------

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]

-----------

Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.