Unpatched Office zero-day CVE-2023-36884 actively exploited in targeted attacks

Microsoft warned today that an unpatched zero-day in multiple Windows and Office products was actively exploited in the wild.

Microsoft disclosed an unpatched zero-day vulnerability in multiple Windows and Office products that has been actively exploited in the wild. The issue, tracked as CVE-2023-36884, was exploited by nation-state actors and cybercriminals to gain remote code execution via malicious Office documents.

The IT giant is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. The company revealed that it is aware of high-targeted attacks that attempt to exploit these issues through specially-crafted Office documents.

“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.” reads the advisory published by Microsoft. “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Microsoft is working to address the vulnerability, experts pointed out that it can be fixed by an out-of-band patch that can be released before August Patch Tuesday.

Microsoft announced in a separate post, the identification of a phishing campaign conducted by the Russian cybercrime group Storm-0978 (aka DEV-0978 and RomCom) and aimed at defense and government entities in Europe and North America. The threat actors were observed exploiting the flaw CVE-2023-36884 using lures related to the Ukrainian World Congress.

“Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.” reads the post.

Microsoft provided the following mitigations for the unpatched zero-day:

Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.

In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.

Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.:
ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftInternet ExplorerMainFeatureControlFEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Excel.exe

Graph.exe

MSAccess.exe

MSPub.exe

PowerPoint.exe

Visio.exe

WinProj.exe

WinWord.exe

Wordpad.exe
Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)
The post Unpatched Office zero-day CVE-2023-36884 actively exploited in targeted attacks appeared first on Security Affairs.