Microsoft has recently shared important information about a security vulnerability known as Office and Windows HTML Remote Code Execution Zero-Day Vulnerability. This vulnerability affects both Office and Windows products, and it’s crucial for users to take necessary precautions.
The vulnerability involves the potential exploitation of specially-crafted Microsoft Office documents. An attacker could create a malicious file that, when opened by a victim, could execute code remotely on their system. It’s important to note that users must actively open such files to be exposed to this vulnerability.
Microsoft is actively investigating reports related to these vulnerabilities and is aware of targeted attacks attempting to exploit them. These attacks often involve the use of carefully-crafted Microsoft Office documents. The CVE vulnerability mentioned is particularly linked to Storm-0978 attacks, which are driven by financial and espionage motives.
To address these vulnerabilities, Microsoft has developed mitigation options. It’s worth noting that previous vulnerabilities, such as the Zero Day Security Vulnerability for Outlook, have also been addressed. Microsoft has released Cumulative Update patches for Windows 10 and Windows 11 in July 2023 to provide necessary fixes.
If you’re wondering whether your specific Office app version is affected, here’s what you need to know. Office365 Semi-Annual Channel Extended versions 2208 and 2202 are indeed affected. However, Microsoft 365 Apps Semi-Annual Channel Extended versions 2208 and 2202 are also impacted. On the other hand, Microsoft 365 Semi-Annual Channel version 2302 and later versions are protected from this vulnerability.
For users of Microsoft Defender for Office, there is added protection against attachments attempting to exploit this vulnerability. By utilizing the “Block all Office applications from creating child processes” Attack Surface Reduction Rule, users can prevent the vulnerability from being exploited in their environment.
In cases where organizations are unable to implement the aforementioned protections, an alternative solution involves modifying the registry. By setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key, exploitation can be avoided. However, it’s important to note that while this mitigation technique helps protect against the vulnerability, it may impact regular functionality for certain applications. The registry key can be found at: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
To enhance security, the following application names should be added as values of type REG_DWORD with data 1 within the registry key:
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
Alternatively, users can enable the Feature Control Key for their specific applications.
By following these mitigation measures and staying informed about the latest updates from Microsoft, users can protect themselves and their systems from potential threats associated with the Office and Windows HTML Remote Code Execution Zero-Day Vulnerability. Stay vigilant and ensure that you implement the necessary security measures to safeguard your digital environment.
