Microsoft today disclosed an unpatched zero-day security bug in several Windows and Office products exploited in the wild to achieve remote code execution through malicious Office documents.
Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in very complex attacks without user intervention.
Successful exploitation could result in complete loss of confidentiality, availability, and integrity, allowing attackers to access sensitive information, disable system protection, and deny access to the compromised system.
“Microsoft is investigating reports of a series of remote code execution vulnerabilities affecting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities using Microsoft documents purpose-built offices,” Redmond said. said Today.
“An attacker could create a specially crafted Microsoft Office document that would allow him to remotely execute code in the victim’s context. However, an attacker would have to convince the victim to open the malicious file.”
Although the flaw is not yet fixed, Microsoft says it will provide customers with fixes through the monthly release process or an out-of-band security update.
Until patches CVE-2023-36884 are available, Microsoft advises that customers using Defender for Office and those who have enabled the attack surface reduction rule “Block all Office applications from creating process children” are protected against phishing attacks attempting to exploit the bug.
Those not using these protections can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as REG_DWORD type values with data 1:
Exploited in attacks targeting NATO summit attendees
In a separate blog postthe company claims that bug CVE-2023-36884 was exploited in recent attacks targeting organizations participating in the NATO summit in Vilnius, Lithuania.
As documented in reports published by Ukrainian Computer Emergency Response Team (CERT-UA) and researchers with The BlackBerry Intelligence Teamthe attackers used malicious documents posing as the Ukrainian World Congress organization to install malicious payloads, including the MagicSpell loader and the RomCom backdoor.
“If successfully exploited, it allows an attacker to conduct a Remote Code Execution (RCE)-based attack via the creation of a malicious .docx or .rtf document designed to exploit the vulnerability,” they wrote. BlackBerry security researchers said.
“This is achieved by leveraging the specially crafted document to run a vulnerable version of MSDT, which in turn allows an attacker to pass a command to the utility for execution.”
RomCom is a Russia-based cybercriminal group (also tracked as Storm-0978) known to engage in ransomware and extortion attacks alongside campaigns focused on stealing credentials, likely aimed at support intelligence operations, according to Redmond.
“The actor’s last campaign detected in June 2023 involved the abuse of CVE-2023-36884 to provide a backdoor with similarities to RomCom,” Microsoft said on Tuesday.