CVE-2023-36037 - Microsoft Excel Security Feature Bypass Vulnerability Explained (with Exploit Details & Code Snippet)

In November 2023, Microsoft disclosed a serious vulnerability in Excel: CVE-2023-36037. This flaw lets attackers bypass crucial security features, exposing users and organizations to increased risk. In this long-read, we’ll break down what this vulnerability is, how it works, how you can exploit it, and what you can do to protect yourself. No jargon — just the facts you need.

What is CVE-2023-36037?

CVE-2023-36037 is a vulnerability in Microsoft Excel — both in standalone versions and as part of Microsoft 365. This flaw lets an attacker bypass the Protected View and edit mode security features in Excel. Normally, these features warn and limit users when opening documents from the web or email. With this bug, malicious files could dodge these protections.

Microsoft’s Security Advisory:

Microsoft Security Response Center (MSRC) - CVE-2023-36037

How Does This Vulnerability Work?

When you open documents downloaded from the internet, Excel uses “Protected View” to sandbox the file. If a user wants to edit, they must explicitly enable editing — a safety step that blocks auto-executing malicious content.

With CVE-2023-36037, an attacker can craft a special Excel file. If a victim opens this file, it bypasses Protected View and Edit Mode automatically. That means macros, scripts, and embedded objects can run without any warning!

This happens because of a flaw in how Excel processes file metadata, especially the “Mark of the Web” (MotW) — a Windows feature flag which tells Excel the file is from an untrusted source.

Craft a Malicious Excel File:

The attacker creates a spreadsheet containing dangerous macro code or exploits (e.g., malware downloader).

Modify File Metadata:

By manipulating the file’s structure or compressing it in certain formats (like tricking Excel via a ZIP archive), the Mark of the Web can be removed or made ineffective.

Victim Opens File:

Excel opens without showing the normal security warnings. Macros/content run automatically, leading to code execution on the victim’s computer.

Code Snippet: How Attackers Remove "Mark of the Web"

Below is a PowerShell snippet that removes the Mark of the Web from an Excel file. This is often the key step in bypassing Protected View:

# PowerShell: Remove 'Zone.Identifier' Alternate Data Stream
$ExcelPath = "C:\path\to\malicious.xlsx"
if (Get-Item $ExcelPath -Stream "Zone.Identifier" -ErrorAction SilentlyContinue) {
    Remove-Item "$ExcelPath:Zone.Identifier"
    Write-Host "Mark of the Web (Zone.Identifier) removed!"
} else {
    Write-Host "No Mark of the Web stream present."
}

This stream removal prevents the operating system (and Excel) from seeing the file as “downloaded from the Internet,” so extra protections won’t trigger.

*Note: This code is for educational purposes only! Do not use for malicious activity.*

Real-World Attack Example

Suppose an attacker sends a ZIP archive containing a malicious Excel file. Because of how Windows and Excel process archives, if the MotW is removed (either by certain extraction utilities or manual stream deletion), Excel will not display Protected View. The payload (e.g., VBA macro) can run and download malware.

References & Original Reports

- Original Microsoft Report: CVE-2023-36037 | Microsoft Excel Security Feature Bypass Vulnerability
- NIST NVD Summary: https://nvd.nist.gov/vuln/detail/CVE-2023-36037

Security Analysis:

Twitter thread by Will Dormann (security researcher)

Blog breakdown:

Huntress Blog - Mark of the Web Bypasses: CVE-2023-36025 vs CVE-2023-36036 *(covers sibling flaws)*

Mitigation Guidance

- Update Excel: Install the November 2023 Patch Tuesday updates as soon as possible.

Don’t trust email attachments: Even from known senders, if unsolicited.

- Use Office macros policy: Disable macros from running by default, especially from files downloaded from the internet.
- User training: Teach staff not to extract and run Office files from ZIP archives or unknown locations.

TL;DR

- CVE-2023-36037: Lets attackers bypass Excel’s security warnings, making malware attacks sneaky.

Conclusion

The CVE-2023-36037 vulnerability in Excel shows that attackers are always looking for ways to sneak past our defenses. While Microsoft has fixed this issue, it’s a good lesson in why patching, smart security policies, and good user education are always the most important tools.

If you found this deep-dive useful, share it and help your friends or coworkers stay cyber-safe!

*This content is exclusive and tailored for clear understanding — feel free to link back if you use it elsewhere!*

Timeline

Published on: 11/14/2023 18:15:33 UTC
Last modified on: 11/20/2023 19:52:54 UTC