What’s the nature of the zero-day?
From Microsoft’s security advisory:
“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”
In a blog entry published the same day as the advisory, Microsoft describes attacks originating from a threat actor dubbed “Storm-0978” who has perpetrated a phishing campaign targeting defense and government entities in Europe and North America. The campaign leverages CVE-2023-36884 to execute ransomware.
What is the risk of exploit?
Exploitation of CVE-2023-36884 has been observed in the wild by the aforementioned Storm-0978—a cybercriminal group based in Russia— as part of opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations.
CISA has added the vulnerability to their list of known exploited vulnerabilities.
The risks is exploit in this case are the same as any RCE, but observed behavior from Storm-0978 indicates ransomware is the greatest concern.
“Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.”
How can I mitigate the risk of CVE-2023-36884?
At the time of this writing, there is no patch available for CVE-2023-36884. Here are the mitigations provided by Microsoft, verbatim from their blog entry on Storm 0978 and its use of this vulnerability:
Microsoft 365 platforms:
Mitigation to protect against exploitation of CVE-2023-36884 is fairly straight forward. It’s important to note that the basic Microsoft 365 configurations are protected:
- Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
- Customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited. However, there is a strong caveat to using this mitigation: it has the potential to break Microsoft Office. Child processes are necessary for a native Office application to function normally. This particular mitigation should be used only in an emergency as it will bring these apps to a grinding halt. See this Reddit commenter’s post for further evidence.
Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
Add the following application names to this registry key as values of type REG_DWORD with data 1.:
- Security Update Guide – Microsoft Security Response Center
- Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog
- Block the file:// protocol | Microsoft Learn