HTML RCE Vulnerability CVE-2023-36884 Allows Office and Windows System Takeover

Sicherheit (Pexels, allgemeine Nutzung)[German]Short addendum regarding security. As of July 11, 2023 (patch day), another 0-day vulnerability (CVE-2023-36884) has become public, which allows remote code execution in Microsoft Windows and Office. The vulnerability has already been exploited by hackers from the group Storm-0978 for attacks on various targets (e.g. Nato summit in July 2023). I had mentioned the vulnerability in the patchday overview, but currently there is no patch. Microsoft has only published mitigation instructions.


Office/Windows HTML RCE vulnerability CVE-2023-36884

Vulnerability CVE-2023-36884 is an HTML remote code execution vulnerability introduced via an Internet Explorer component that affects Microsoft Office and Windows. Currently, Microsoft writes that it is investigating reports of a number of remote code execution vulnerabilities affecting Windows and Office products.

Microsoft is aware of targeted attacks that attempt to exploit this vulnerability using specially crafted Microsoft Office documents. In the article Microsoft Security Update Summary (July 11, 2023), I had mentioned that the NATO summit in the Baltic States, which just took place in July 2023, was attacked (the colleagues from Bleeping Computer had mentioned this here).

The RCE vulnerability in Microsoft Windows and Office has received a CVEv3 score of 8.3 and the important. The attacks are blamed on a group Storm-0978 from Russia, which also goes by names like DEV-0978 or RomCom. The actors specialize in ransomware campaigns (underground ransomware) and extortion. Target regions include Ukraine, North America and Europe, while target industries include telecommunications and finance.

From Microsoft, there is this blog post that reveals some information about the group's targets and gets many more details. Storm-0978 uses a backdoor known as RomCom for its ransomware and extortion operations (Ransomware Underground), as well as targeted credential collection campaigns. It is believed that the latter activities are likely to support intelligence operations.

Furthermore, the Industrial Spy ransomware, which was first observed in the wild in May 2022, is also used by this group. In the actor's last campaign, discovered in June 2023, CVE-2023-36884 was abused to deliver a backdoor that shares similarities with RomCom.


The attacks on enterprises use trojanized versions of popular legitimate software packages sent via phishing emails. Microsoft writes that Storm-0978's targeted operations affected government and military entities primarily in Ukraine, as well as organizations in Europe and North America that may be involved in Ukrainian affairs. The identified ransomware attacks targeted the telecommunications and financial industries, among others.

No patch, but Defender detection

As mentioned above, there is currently no patch to address the vulnerability. According to Microsoft, customers using Microsoft Defender for Office 365 are protected from malicious attachments that attempt to exploit CVE-2023-36884. In addition, Microsoft 365 Apps users (version 2302 and above) are also protected from exploiting the vulnerability through Office. There is also a rule for this to prevent child processes from being created (see).

Additional mitigations

Organizations that cannot take advantage of these protections, according to the Microsoft blog post, can use the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key for Internet Explorer at:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl

and specify the names of the blocked applications (Excel etc.) as values (see screenshot and the instructions under CVE-2023-36884) to prevent exploitation. Note, however, this comment regarding the exact name of the .exe files for PowerPoint (should be Powerpnt.exe).

IE registry entry to mitigate CVE-2023-36884;
IE registry entry against CVE-2023-36884; Click to zoom

For more mitigation recommendations, see the linked blog post. From Blackberry, there is an analysis that tips administrators to look at outbound traffic on the network to detect infection. Interestingly, there is mention of the Follina vulnerability.

Similar articles:
Microsoft Security Update Summary (July 11, 2023)
Patchday: Windows 10-Updates (July 11, 2023)
Patchday: Windows 11/Server 2022-Updates (July 11, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (July 11, 2023)
Microsoft Office Updates (July 11, 2023)

Windows: Malware still loadable in kernel drivers (RedDriver attack)
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *