Microsoft alerted users to an unpatched security vulnerability in several Windows and Office products, known as CVE-2023-36884. This flaw is currently being exploited by attackers to remotely execute malicious code on target systems.
According to a report by Bleeping Computer, the complexity of launching an attack via this vulnerability is high, it requires minimal user interaction, making it a significant threat. To gain access to a target’s Windows system, hackers merely need to entice the user into opening a specially prepared Office document. Once this is done, they can potentially harvest sensitive data, disable security functions, or even lock owners out of their accounts.
As of now, Microsoft has not released a patch to fix this vulnerability. However, the tech giant has assured that it will address this security flaw either through its monthly release process or via a separate security update, depending on customer needs. In the meantime, Microsoft has suggested a workaround that users can implement at their discretion.
For those utilizing Defender for Office with a rule that prohibits Office applications from creating child processes, they are already protected against attacks exploiting CVE-2023-36884. For other users, Microsoft recommends adding application names such as Excel.exe, PowerPoint.exe, and Wordpad.exe, among others, to a specific registry key as a temporary measure.
Interestingly, this vulnerability has already been used in real-world attacks. Microsoft reported that attackers have exploited this flaw to target participants of the NATO summit in Lithuania. The hackers, believed to be a Russia-based group known by names such as Romcom, Storm-0978, or DEV-0978, distributed fake documents purportedly from the Ukrainian World Congress organization to spread a backdoor.
Primarily, these attackers have focused on stealing login credentials and are suspected of having ties with intelligence operations. The development of the backdoor, also referred to as Romcom, is attributed to this group.
As we await Microsoft’s patch to address this issue, users must take the recommended steps to protect their systems and data. Remember, in the realm of cybersecurity, prevention is always better than cure.
