Microsoft has announced the discovery of an unpatched zero-day security vulnerability in several of its Windows and Office products. The flaw, identified as CVE-2023-36884, has been exploited in sophisticated attacks that don't require user interaction. Successful exploitation of this vulnerability could result in a total loss of confidentiality, availability, and integrity. This would enable the attackers to gain access to sensitive information, disable system protection, and even deny access to the compromised system.
The tech giant stated, "Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents." The attackers can create a malicious Microsoft Office document that allows them to execute remote code in the context of the victim. However, the attacker would need to persuade the victim to open the malicious file.
While Microsoft has not yet addressed the flaw, it has assured customers that patches will be provided through the monthly release process or an out-of-band security update. Until patches for CVE-2023-36884 are available, Microsoft advises that customers using Defender for Office and those who have activated the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected against phishing attacks attempting to exploit the bug.
The company revealed in a separate blog post that the CVE-2023-36884 bug was exploited in recent attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania. According to reports from Ukraine's Computer Emergency Response Team (CERT-UA) and researchers with BlackBerry's intelligence team, the attackers used malicious documents posing as the Ukrainian World Congress organization to install malware payloads, including the MagicSpell loader and the RomCom backdoor.
BlackBerry security researchers explained, "If successfully exploited, it allows an attacker to conduct a remote code execution (RCE)-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability." RomCom, a Russian-based cybercriminal group also known as Storm-0978, is known for its involvement in ransomware and extortion attacks, as well as campaigns aimed at stealing credentials, likely to support intelligence operations. Microsoft confirmed, "The actor's latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom."