CVE CyberSecurity Database News

CVE-2023-36805 - Windows MSHTML Platform Security Feature Bypass Detailed Breakdown

Poster -

In June 2023, Microsoft patched an important vulnerability in its MSHTML platform, tracked as CVE-2023-36805. This flaw is a security feature bypass issue, meaning it allows attackers to sidestep built-in defenses in Windows, possibly leading to the execution of malicious code when a user visits a crafted website or opens a malicious file. In this post, we’ll unravel what this vulnerability is, how it can be exploited, and give you code snippets and references to original sources. All in clear, simple English.

What is MSHTML?

MSHTML (also known as Trident) is an old web browser engine built by Microsoft. While Internet Explorer itself might seem obsolete, MSHTML is still heavily used under the hood by many Windows applications (like Microsoft Office and help files). That means vulnerabilities in MSHTML can potentially affect a lot of users.

CVE-2023-36805 Explained

This bug is classified as a Security Feature Bypass. It doesn’t directly allow code execution, but it can help other vulnerabilities become more dangerous by bypassing security features such as Protected Mode, Mark-of-the-Web enforcement, or sandboxing.

CVSS Score: 6.5 (Medium)  
Affected Versions: Windows 10, 11, Server 2012/2016/2019/2022  
Patch Released: June 2023

Microsoft’s official description:

CVE-2023-36805 | Windows MSHTML Platform Security Feature Bypass Vulnerability

How Does the Vulnerability Work?

MSHTML is supposed to restrict content loaded from the web. This bug allows a specially crafted file or web page to trick MSHTML into running scripts or executables with fewer restrictions.

Attack Scenario:  
A user opens a malicious document (office file, help file, web link) that’s been crafted by an attacker. This file uses a specific MSHTML feature in a way that tricks Windows into not applying its normal safety rules, like blocking JavaScript or preventing ActiveX components.

Simplified Exploit Example

Below is a simplified and sanitized example—do not use this for any illegal activity.

Let’s assume you want to bypass Mark-of-the-Web (MOTW) protections. The vulnerability can be exploited by using certain HTML constructs to bypass security prompts.

<!-- Bypassing MSHTML MOTW using an iframe object -->
<html>
  <body>
    <!-- The iframe might be loaded from a local file or external server -->
    <iframe src="file:///C:/malicious/payload.html"></iframe>
  </body>
</html>

If a user opens this HTML file in an application using MSHTML (say, Word or Outlook’s preview pane), the iframe can load local files or code with fewer restrictions.

Attackers can combine this with social engineering, for example:

References and More Samples

- Microsoft Patch Update Details
- MSHTML Trident Engine Exploits Over The Years (Google Project Zero)
- Security Feature Bypass Primer

Install Updates:

Always patch your Windows OS as soon as possible. This vulnerability is fixed in Microsoft’s June 2023 update.

Set new applications to use Edge (Chromium) WebView2, not legacy MSHTML controls.

3. Beware of Unexpected Office/Help Files:  
  Don’t open files from unfamiliar sources, especially old-help (.chm), Office files, or HTML attachments.

Conclusion

CVE-2023-36805 demonstrates why even “old” components like MSHTML can still create modern risks. Attackers love these legacy paths for sneaking through your defenses. Make sure you keep all your devices updated, and think twice before opening suspicious documents—even if they look like innocent help files.

Further Reading

- How Mark-of-the-Web Works
- Official Patch and Mitigations
- Infosec Write-ups: Similar Bypass Techniques


*This article was written to help users and administrators understand one current threat on Windows platforms. Please use the knowledge for good!*

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/14/2023 00:30:00 UTC