If vulnerability were a currency, Microsoft would make another billion

Today Microsoft reported an unpatched zero-day vulnerability in several products Windows and Office, which was used in the wild for remote code execution (Remote Code Execution, RCE) using malicious Office documents.

Unauthenticated attackers could exploit the vulnerability CVE-2023-36884 V APT-attacks of increased complexity, without requiring user intervention. Successful exploitation of the bug allows the hacker to gain access to confidential information, disable system protection, and block the victim from accessing the compromised system.

The flaw has not yet been fixed, but Microsoft will provide fixes to customers through a monthly release or an unscheduled security update.

Available Mitigation Measures

Until CVE-2023-36884 is available to protect against phishing attacks, users are advised to use Defender for Office and block all Office applications from creating child processes (rule Block all Office applications from creating child processes) .

Customers who do not use these protections can add the following application names to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION as values ​​of type REG_DWORD with data 1:

• Excel.exe
• graph.exe
• MSAccess.exe
• MSPub.exe
• powerpoint.exe
• Visio.exe
• WinProj.exe
• winword.exe
• wordpad.exe

However, it is important to note that setting this registry key to block exploitation attempts may also affect certain Microsoft Office features associated with the applications listed above.

Installation key registry FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Exploitation in attacks on NATO summit participants

IN separate blog post the company reports that bug CVE-2023-36884 was used in attacks on supporters of Ukraine attending the NATO summit in Vilnius, Lithuania.

According to experts, the RomCom hacker group (Storm-0978, Tropical Scorpius, UNC2596, Void Rabisu) used fake documents that call for Ukraine to join NATO – one of the key topics of discussion at the summit.

In case of successful exploitation, an attacker can remotely execute code (Remote Code Execution, RCE) on an infected device by creating a malicious .docx or .rtf document. This is achieved by using a specially crafted document to run a vulnerable version of the Microsoft Support Diagnostic Tool (MSDT), which allows an attacker to pass a command to the utility to execute.

All users, in particular those who work with confidential information or are the target of increased interest for hackers, are urged to take the security measures recommended by Microsoft.