CISA Adds Office 0-Day Flaw (CVE-2023-36884) to its KEV Catalog

In an increasingly connected world, the specter of cyber threats looms large, underscoring the importance of maintaining robust cybersecurity measures. The recent exploitation of a critical flaw identified as CVE-2023-36884 has raised alarms across the cyber landscape. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has rightfully added it to its “Known Exploited Vulnerabilities Catalog”, signaling the severity and the immediate threat it poses.

The CVE-2023-36884, characterized as a high-severity flaw (CVSS v3.1: 8.3), plagues both Office and Windows, offering attackers a dangerous platform to execute arbitrary code. This is achieved by coaxing the victim into opening a maliciously crafted file. The insidious nature of this remote code execution (RCE) flaw lies in its ability to act under the guise of innocent-looking files, making it a potent weapon in the hands of cybercriminals.

In its advisory for CVE-2023-36884, Microsoft stated, “We are investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. We are aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

The modus operandi involves an attacker crafting a specific Microsoft Office document to execute remote code in the context of the victim. However, the attacker would need to manipulate the victim into opening the malicious file, adding a layer of social engineering to this threat.

The disclosure of this flaw is attributed to the collective effort of Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne, and Bahare Sabouri of Google’s Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster with Volexity, and the Microsoft Office Product Group Security Team.

Microsoft reassures that the matter is under thorough investigation, promising to take apt action to safeguard its customers, which could range from providing a security update through its regular monthly release process to releasing an out-of-cycle security update, based on customer requirements.

Microsoft has clarified that users of Microsoft Defender for Office and those employing the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are safeguarded from attachments that seek to exploit this vulnerability.

For those without these protections, mitigation measures involve adding specific application names to a certain registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) as REG_DWORD type values with data 1. This list includes Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, and Wordpad.exe.

In light of in-the-wild exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by August 7, 2023, to secure networks against potential threats.