CVE CyberSecurity Database News

CVE-2023-36045 - Breaking Down the Microsoft Office Graphics Remote Code Execution Vulnerability

Poster -

Microsoft Office, the daily tool of millions, has once again proven how a small flaw can become a major threat. CVE-2023-36045 is a critical Remote Code Execution (RCE) vulnerability centered on how Microsoft Office handles graphics files, especially when loading certain images or embedded objects.

In this article, we’ll dive deep into this vulnerability—what it is, how attackers can exploit it, and what you can do to protect yourself. We’ll share code snippets, original references, and break down even the complex bits in plain talk.

What is CVE-2023-36045?

CVE-2023-36045 is a vulnerability discovered in how Microsoft Office handles specially-crafted graphics content. If an attacker manages to trick you into opening a malicious file—typically a DOCX, PPTX, or XLSX with a dangerous image embedded—they can run their code on your machine. Just opening the file is enough.

Severity: Critical
CVSS Score: 7.8–8.8 (depending on context)
Affected Versions: Office 2016, 2019, 2021, Office 365, and other variants with graphics support.

How Does The Exploit Work?

When Microsoft Office tries to display an embedded graphic, it passes the image data through a library or internal function. For CVE-2023-36045, the problem is usually a buffer overflow or corruption, where the file’s image format tricks Office into writing data where it shouldn’t.

Attackers: Usually embed a malicious EMF/WMF/PNG image in an Office file. They send this to a victim—perhaps by email, cloud share, or via a download link. The target opens the file, and their computer unwittingly runs hacker-created code.

Example Code: How a Malicious Image is Embedded

Here’s a simplified Python snippet to craft a DOCX with a harmful image payload (for educational/demo use only!) using the python-docx package.

from docx import Document
from docx.shared import Inches

doc = Document()
doc.add_heading('CVE-2023-36045 Exploit Demo', level=1)

# Imagine 'exploit.emf' is a carefully crafted malicious EMF file
with open('exploit.emf', 'rb') as emf_file:
    emf_data = emf_file.read()

# Most python-docx methods reject raw data, but an attacker could use
# lower-level code to inject the binary EMF into the DOCX archive manually.

with open('document.docx', 'wb') as out_doc:
    # Write normal XML parts
    # Write image payload where image references go
    # This is simplified! Real exploits would modify the DOCX's internal ZIP structure
    out_doc.write(emf_data)

print("Malicious Office file created.")

Note: A real-world attacker would patch the document archive (DOCX / PPTX etc. are just ZIP files with structured XML and embedded resources) so the image loads during document view.

No user warning: The victim just opens a doc, views a slide, or checks a spreadsheet.

- Privilege Escalation: If combined with other bugs, an attacker could get admin or system rights.
- Email/Cloud Attack: It’s easy to deliver via phishing attachments, shared folders, or web downloads.

Microsoft Security Advisory:

CVE-2023-36045 | Microsoft Office Graphics Remote Code Execution Vulnerability

NIST NVD Details:

CVE-2023-36045 Status

Security Researchers’ Writeups:

- Zero Day Initiative: ZDI-23-1372

Microsoft patched this issue in November 2023. Update Office ASAP!

By default, Office opens downloaded docs in 'Protected View'. Keep this enabled.

The Bottom Line

CVE-2023-36045 is a prime example of why even something as simple as an image in your Office doc can become a hacking weapon. The good news? A little caution and quick updates are your best defense.

Keep your software up-to-date, don’t trust files from strangers, and if you’re a security pro—always monitor for suspicious document activity on your endpoints.


Stay safe. Want more deep dives on Office exploits and zero-days? <br>[Contact me](mailto:security.writer@example.com) for custom research or trainings!

Timeline

Published on: 11/14/2023 18:15:35 UTC
Last modified on: 11/20/2023 18:19:35 UTC