Get a FREE Report of the Software Running in Your Environment - Including Risks & Countries of Origin
Back to Blogs Back to Press Releases
ThreatLocker Office and Windows HTML Remote Code Execution Vulnerability Blog Header

Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884)

Table of Contents

What is the CVE-2023-36884 Zero-Day Vulnerability?

CVE-2023-36884 is a critical zero-day vulnerability affecting multiple Windows and Microsoft Office versions. This security flaw poses a severe threat, allowing malicious actors to run whatever code they want on your computer remotely. Hackers can accomplish this using specially crafted Microsoft Office documents.

What Versions of Microsoft Windows and Office Are Vulnerable?

The following applications are vulnerable to CVE-2023-3684:

  • Microsoft Office (x64 and x86 versions): Versions before 2304
  • Microsoft Word 2013 SP1: Version 15.0.4569.15063
  • Microsoft Word 2016: Version 16.01
  • Microsoft Windows 10 1507 (x64 and x86 versions): Version 15074

How Hackers Leverage this Vulnerability

In this case, an attacker would create a Microsoft Office document containing malicious code and trick a user into clicking or opening the file. When someone opens this document, it lets someone else control their computer and do whatever they want.

Using this vulnerability, an attacker can accomplish data theft, system disruption, and persistence. In addition, the threat actor could deploy ransomware to lock the user's files. Alternatively, they could connect to a remote command and control server, providing a hidden channel for further exploitation.

Microsoft Recommendation

Microsoft recommends the following:

  • Using Microsoft Defender for Office 365.
  • If you are using (Versions 2302 and later), updating Microsoft 365 Apps will protect you from exploitation of the vulnerability via Office.
  • Organizations not using these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.
  • You don't need to restart the OS, but we recommend restarting the applications with the added registry key if you have already queried and cached the value.
  • These settings could stop the problem but might also cause issues for some specific uses of the applications. For this reason, we suggest testing. Remove the registry key or configure it to "0" to turn off the mitigation.
Screenshot of FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key in the registry editor

How Can ThreatLocker Mitigate This?

At ThreatLocker, we want to ensure your endpoints are safe with just one click, and we have successfully done that today. You can leverage the power of Configuration Manager to make the registry changes needed to mitigate this attack automatically.

In response to this vulnerability, we have released a new Configuration Manager Policy titled “CVE-2023-36884|Windows SRC Execution Vulnerability”.

See Figure 1 for the steps required to add this policy to your environment.

Figure 1.

Screenshot of ThreatLocker Configuration Manager Policy Creation
Figure 1.

See red pins for help navigating within the portal:

  1. Navigate to Modules.
  2. Select Configuration Manager.
  3. Select New Policy.
  4. Select your desired policy level, e.g., “Entire Organization” , and select the configuration drop-down.
  5. Select the Policy called “CVE-2023-36884|Windows SRC Execution Vulnerability” under the “Zero-Day Security Policies Section.”

See Figure 2 for a close-up of the configuration manager policy.

Screenshot of ThreatLocker Portal Policy Creation
Figure 2.