CVE-2023-36884 - Microsoft Office and Windows HTML ?
Microsoft announced the CVE-2023-36884, a zero-day vulnerability in Office and Windows HTML Remote Code Execution with its July Patch Tuesday release, rating it as "important". Microsoft observed active exploitation of this vulnerability using specially crafted Microsoft Office documents. It should be noted that user interaction is required to exploit this vulnerability by opening the malicious document.
Unit 42 Threat Intelligence can confirm that this vulnerability has been exploited since at least July 3, 2023. Detailed analysis is ongoing, and this Threat Summary will be updated as analysis is completed.
Microsoft has released a patch that mitigates exploitation of this vulnerability. For those unable to patch, it recommends preventing office applications from creating child processes or enabling the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. For more information, please refer to the Security Updates page.
Palo Alto Networks customers provide protection and mitigation against CVE-2023-36884 in the following ways:
Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.
Cortex XDR and XSIAM agents offer protection against subsequent exploitation activities associated with CVE-2023-36884 and utilize Local Analysis detections for RomCom binary files in Windows environments.
Cortex XDR prevents publicly known exploit chains for CVE-2023-36884.
Advanced WildFire can help detect and prevent attacks containing highly evasive malicious software.
Advanced Threat Prevention Firewall, in conjunction with Next-Generation Threat Prevention security subscriptions, can help block associated payloads and attacks.
Cloud-based Security Services can categorize C2 domains associated with this activity as malicious.
Microsoft has released a patch that mitigates exploitation of this vulnerability. For those unable to patch, it recommends preventing office applications from creating child processes or enabling the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. For more information, please refer to the Security Updates page.
Palo Alto Networks customers provide protection and mitigation against CVE-2023-36884 in the following ways:
Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.
Cortex XDR and XSIAM agents offer protection against subsequent exploitation activities associated with CVE-2023-36884 and utilize Local Analysis detections for RomCom binary files in Windows environments.
Cortex XDR prevents publicly known exploit chains for CVE-2023-36884.
Advanced WildFire can help detect and prevent attacks containing highly evasive malicious software.
Advanced Threat Prevention Firewall, in conjunction with Next-Generation Threat Prevention security subscriptions, can help block associated payloads and attacks.
Cloud-based Security Services can categorize C2 domains associated with this activity as malicious.
| Vulnerabilities Discussed | CVE-2023-36884, RomCom RAT |
Vulnerability Details
It is important to note that all observed exploitation instances so far have required the user to open a malicious document. After the user opens the malicious document, a file containing a script is downloaded, initiating an iframe injection that leads to the download of a malicious payload. Currently, it is uncertain whether the underlying vulnerability relies on Office documents for delivery. It is possible that the vulnerability could be exploited using other yet unseen delivery mechanisms. For instance, Microsoft's security guidance includes a mitigation suggesting the addition of wordpad.exe as one of nine applications under a registry key that blocks URLs using the file: protocol originating from untrusted zones (such as the Internet zone or Restricted Sites zone).
Current Scope of the Attack
Unit 42 Threat Intelligence can confirm that this vulnerability has been exploited since at least July 3, 2023. Early exploitation of this vulnerability involves the use of RomCom malware, which was reported by Microsoft on July 11, 2023. RomCom was initially observed by Unit 42 in May 2022 and is a low-volume malware family detected in various attacks over the past year, including ransomware attacks and espionage-related attacks. The software acts as a Remote Access Trojan (RAT), providing attackers with various capabilities such as directory listings, file system modifications, file uploads and downloads, and execution of commands.
Interim Guidance
Microsoft recommends preventing office applications from creating child processes or setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. For more information, please refer to the Security Updates page.
Topic Link CVE-2023-36884 - Microsoft Office ve Windows HTML Uzaktan Erişim Nedir ?
It is important to note that all observed exploitation instances so far have required the user to open a malicious document. After the user opens the malicious document, a file containing a script is downloaded, initiating an iframe injection that leads to the download of a malicious payload. Currently, it is uncertain whether the underlying vulnerability relies on Office documents for delivery. It is possible that the vulnerability could be exploited using other yet unseen delivery mechanisms. For instance, Microsoft's security guidance includes a mitigation suggesting the addition of wordpad.exe as one of nine applications under a registry key that blocks URLs using the file: protocol originating from untrusted zones (such as the Internet zone or Restricted Sites zone).
Current Scope of the Attack
Unit 42 Threat Intelligence can confirm that this vulnerability has been exploited since at least July 3, 2023. Early exploitation of this vulnerability involves the use of RomCom malware, which was reported by Microsoft on July 11, 2023. RomCom was initially observed by Unit 42 in May 2022 and is a low-volume malware family detected in various attacks over the past year, including ransomware attacks and espionage-related attacks. The software acts as a Remote Access Trojan (RAT), providing attackers with various capabilities such as directory listings, file system modifications, file uploads and downloads, and execution of commands.
Interim Guidance
Microsoft recommends preventing office applications from creating child processes or setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. For more information, please refer to the Security Updates page.
Topic Link CVE-2023-36884 - Microsoft Office ve Windows HTML Uzaktan Erişim Nedir ?
