SIMPLIFIED POWERSHELL API SCRIPTING WITH ACTION1

Thursday, June 20 | 12 PM EDT / 6 PM CEST

Action1 5 Blog 5 How to Mitigate CVE-2023-36884

How to Mitigate CVE-2023-36884

July 12, 2023

By Peter Barnett

How to Mitigate CVE-2023-36884

The recent discovery of CVE-2023-36884 has raised concerns within the cybersecurity community. With no available patch to address the vulnerability as of July 12th, 2023, it becomes crucial to explore mitigation options. In this blog post, we will examine the recommended steps to safeguard your software stack and protect against potential exploits.

Understanding the Vulnerability

Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) is an important zero-day vulnerability that impacts Office and Windows HTML. It possesses a network attack vector with high complexity, requiring user interaction but not elevated privileges. With a CVSS rating of 8.3, it is categorized as important, although it could potentially warrant an even higher severity if executed with user interaction and complexity. The vulnerability affects all versions of Windows Server from 2008 onwards, Windows 10, as well as Microsoft Word and Microsoft Office versions 2013 and later.

Exploiting this vulnerability entails an attacker creating a specially crafted Microsoft Office document capable of executing remote code in the victim’s context. However, it is important to note that convincing the victim to open the malicious file is a prerequisite for a successful attack.

Depending on the software stack you are running, the CVE-2023-36884 vulnerability may pose a significant risk. As Microsoft points out in their post (available here), customers using Microsoft Defender for Office 365 and Microsoft 365 Apps (Versions 2302 and later) are protected from attachments and exploitation attempts related to CVE-2023-36884.

Considering Microsoft’s confirmation of active exploitation and the lack of an immediate patch, it becomes imperative to implement effective mitigation measures. Additionally, it is essential to prepare your employees to recognize and defend against potential phishing attacks associated with this vulnerability.

Mitigation

For those who do not have the aforementioned software packages in place, an alternative mitigation option is available. However, it’s important to note that while the following registry settings will mitigate the issue, they may impact the normal functionality of certain applications.

Registry Configuration:
To implement the mitigation, we need to add specific application names to the following registry key:

Registry Key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Applications to Add:

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • Powerpnt.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

Please ensure that each application name is added as a value of type REG_DWORD with a data value of 1.

To simplify the deployment of the registry changes across multiple systems, you can leverage the following PowerShell script. This script can be deployed using Action1 or other deployment methods:

$values = @(

“Excel.exe”
“Graph.exe”
“MSAccess.exe”
“MSPub.exe”
“Powerpnt.exe”
“Visio.exe”
“WinProj.exe”
“WinWord.exe”
“Wordpad.exe”
)

$targetPath = “Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION”

$fbcpfn = Test-Path -Path $targetPath

if (-not $fbcpfn) {

New-Item -Path $targetPath -Force | Out-Null

}

$values | ForEach-Object {

$regValue = Get-ItemProperty -Path $targetPath -Name $_ -ErrorAction SilentlyContinue

if ($regValue) {

try {

Set-ItemProperty -Path $targetPath -Name $_ -Value 1 -Force -ErrorAction Stop | Out-Null

}
catch {

$Host.UI.WriteErrorLine(“Failed to set registry value for $_”)

}

}
else {

try {

New-ItemProperty -Path $targetPath -Name $_ -Value 1 -PropertyType DWord -Force -ErrorAction Stop | Out-Null

}
catch {

$Host.UI.WriteErrorLine(“Failed to set registry value for $_”)

}

}

}

See What You Can Do with Action1

 

Join our weekly LIVE demo “Patch Management That Just Works with Action1” to learn more

about Action1 features and use cases for your IT needs.

 

spiceworks logo
getapp logo review
software advice review
trustradius
g2 review
spiceworks logo

Related Posts

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.