Microsoft's Office Defense in Depth Update ADV230003 (August 2023) breaks RCE Attacks via CVE-2023-36884

[German]Microsoft has released security updates for Windows and Office as of August 8, 2023. For Microsoft Office, there were security updates for the MSI versions for both version 2013 and Office 2016. The C2R variants of Office 2016 and 2019 should also have received their corresponding update. Microsoft is calling these updates "Defense in Depth Updates", which is intended to break an attack chain in Windows Search. Here is some more information about it.


ADV230003 to the vulnerability CVE-2023-36884 fixed

Microsoft states to make an Office Defense in Depth update with the August 2023 updates (especially for Microsoft Office) – colleagues here noticed it. The whole thing was published under ADV230003. According to Microsoft, the vulnerability in Microsoft Office, which is rated as moderate, should be even better secured in terms of exploitability. The vulnerability in question is CVE-2023-36884, which became public as a Windows Search Remote Code Execution Vulnerability back in July 2023 (there was no security update for this vulnerability on the July 2023 patchday).

The vulnerability allows an attack scenario in which the attacker can send a specially crafted file to the targeted user via email or instant message. Remote code execution could be exploited via the vulnerability. Specifically, it revolves around the Mark of the Web (MotW) security feature, which is supposed to prevent the execution of files marked as originating from the Internet with the MotW flag and show a security warning. The malicious file introduced by the attacker can now bypass these very Mark of the Web (MOTW) protections to execute code on the victim system.

However, the constellation is such that the victim has to specifically open the malicious file to execute it. An attacker has no way to force a user to view the malicious content. So, it boils down to the attacker enticing the victim to do something. This can be asking to click on a link to redirect the user to the attacker's website, where a download is then offered. Or a malicious attachment is sent.

Installing these updates should break the attack chain that leads to the Windows Search remote code execution vulnerability (CVE-2023-36884). Microsoft recommends installing the Office updates discussed in this advisory, as well as the August 2023 Windows updates. I listed the relevant updates for the MSI files in the blog post Microsoft Office Updates (August 8, 2023). ADV230003 also includes the list of updates for the Click-2-Run installations.

What to know about CVE-2023-36884

There is something about this vulnerability, as it appears in several blog posts. In the blog post Microsoft Security Update Summary (July 11, 2023) I had mentioned that e.g. the NATO summit in the Baltic States, which took place in July 2023, was attacked via vulnerability CVE-2023-36884. In the blog post HTML RCE Vulnerability CVE-2023-36884 Allows Office and Windows System Takeover I outlined more details.


Vulnerability CVE-2023-36884 is an HTML remote code execution vulnerability introduced via an Internet Explorer component that affects both Microsoft Office and Windows. Microsoft stated in July 2023 that it was investigating reports of a number of remote code execution vulnerabilities affecting Windows and Office products. A Storm-0978 group from Russia, also going by names such as DEV-0978 or RomCom, is accused of the attacks. The actors specialize in ransomware campaigns (underground ransomware) and extortion. Target regions include Ukraine, North America and Europe, while target industries include telecommunications and finance.

Similar articles:
Microsoft Security Update Summary (August 8, 2023)
Patchday: Windows 10 Updates (August 8, 2023)
Patchday: Windows 11/Server 2022 Updates (August 8, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (August 8, 2023)
Microsoft Office Updates (August 8, 2023)

Windows 11 22H2: Preview Update KB5028254 (July 25, 2023)
Windows 11 21H2: Preview-Update KB5028245 (July 25, 2023)
Windows 10 22H2 Preview Update KB5028244 (July 25, 2023)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *