CVE-2023-36884 is a critical remote code execution vulnerability in Microsoft Windows and Office that allows an attacker to execute arbitrary code on a victim’s system by convincing them to open a specially crafted Microsoft Office document that contains an embedded HTML object.
Here is our Intune approach to mitigate CVE-2023-36884.
CVE-2023-36884 Intune detection script:
<#
.SYNOPSIS
CVE-2023-36884 Intune detection script
.DESCRIPTION
CVE-2023-36884 is a critical remote code execution vulnerability in Microsoft Windows and Office that allows an attacker to execute arbitrary code on a victim's system by convincing them to open a specially crafted Microsoft Office document that contains an embedded HTML object.
The vulnerability exploits a memory corruption flaw in MSHTML, the rendering engine used by Windows and Office to display HTML content.
The vulnerability has been used by a threat actor group known as Storm to target government and corporate entities around the world.
Microsoft has not released any patches for this vulnerability yet, but has provided some mitigation guidance on its Threat Intelligence Blog.
This script is the enabling Technology approach of this mitigation advice of the Threat Intelligence Blog.
.LINK
https://nvd.nist.gov/vuln/detail/CVE-2023-36884
.LINK
https://www.tenable.com/blog/microsofts-july-2023-patch-tuesday-addresses-130-cves-cve-2023-36884
.LINK
https://www.picussecurity.com/resource/blog/cve-2023-36884-a-detailed-look-at-the-recent-microsoft-vulnerability
.LINK
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36884
.NOTES
enabling Technology approach to mitigate CVE-2023-36884
This is a mitigation, not a fix!
#>
$RegPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
try
{
if (!(Test-Path -LiteralPath $RegPath -ErrorAction Stop))
{
Exit 1
}
$paramGetItemPropertyValue = @{
LiteralPath = $RegPath
ErrorAction = 'Stop'
}
if (!((Get-ItemPropertyValue -Name 'Visio.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'WinWord.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'Wordpad.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'WinProj.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'PowerPoint.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'Excel.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'MsPub.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'Graph.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
if (!((Get-ItemPropertyValue -Name 'MSAccess.exe' @paramGetItemPropertyValue) -eq 1))
{
Exit 1
}
}
catch
{
Exit 1
}
Exit 0
CVE-2023-36884 Intune remediation script:
<#
.SYNOPSIS
CVE-2023-36884 Intune remediation script
.DESCRIPTION
CVE-2023-36884 is a critical remote code execution vulnerability in Microsoft Windows and Office that allows an attacker to execute arbitrary code on a victim's system by convincing them to open a specially crafted Microsoft Office document that contains an embedded HTML object.
The vulnerability exploits a memory corruption flaw in MSHTML, the rendering engine used by Windows and Office to display HTML content.
The vulnerability has been used by a threat actor group known as Storm to target government and corporate entities around the world.
Microsoft has not released any patches for this vulnerability yet, but has provided some mitigation guidance on its Threat Intelligence Blog.
This script is the enabling Technology approach of this mitigation advice of the Threat Intelligence Blog.
.LINK
https://nvd.nist.gov/vuln/detail/CVE-2023-36884
.LINK
https://www.tenable.com/blog/microsofts-july-2023-patch-tuesday-addresses-130-cves-cve-2023-36884
.LINK
https://www.picussecurity.com/resource/blog/cve-2023-36884-a-detailed-look-at-the-recent-microsoft-vulnerability
.LINK
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36884
.NOTES
enabling Technology approach to mitigate CVE-2023-36884
This is a mitigation, not a fix!
#>
$regPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
if ((Test-Path -LiteralPath $regPath -ErrorAction SilentlyContinue) -ne $true)
{
$null = (New-Item -Path $regPath -Force -Confirm:$false -ErrorAction SilentlyContinue)
}
$paramNewItemProperty = @{
LiteralPath = $regPath
Value = 1
PropertyType = 'DWord'
Force = $true
Confirm = $false
ErrorAction = 'SilentlyContinue'
}
$null = (New-ItemProperty -Name 'Visio.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'WinWord.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'Wordpad.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'WinProj.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'PowerPoint.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'Excel.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'MsPub.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'Graph.exe' @paramNewItemProperty)
$null = (New-ItemProperty -Name 'MSAccess.exe' @paramNewItemProperty)
You will find this, and many other Intune related scripts and tools in our dedicated GitHub Repository: GitHub - Enatec/MicrosoftEndpointManager: Microsoft Endpoint Manager Related.