Op patch-tuesday juli 2023 heeft Microsoft bekend gemaakt dat er actief misbruik wordt gemaakt van speciaal geprepareerde office documenten die het mogelijk maken remote code execution uit te voeren. Een aanvaller moet dan wel het slachtoffer weten te overtuigen het toegestuurde document te openen. Er is nog geen patch beschikbaar voor dit lek aangeduid als CVE-2023-36884.
Gebruikers die gebruik maken van Defender for Office of diegenen die een regel “Block all Office applications from creating child processes” op hun Windows Defender for Endpoint actief hebben zijn beschermd. Ben je daar niet zeker van, gebruik dan het onderstaande als mitigatie.
De tijdelijke oplossing is het aanmaken van enkele registerwaarden voor specifieke office applicaties (bron: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884)
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name Graph.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name Graph.exe -Value 1 -Force | Out-Null; }
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name MSAccess.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name MSAccess.exe -Value 1 -Force | Out-Null; }
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name MSPub.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name MSPub.exe -Value 1 -Force | Out-Null; }
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name PowerPoint.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name PowerPoint.exe -Value 1 -Force | Out-Null; }
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name Visio.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name Visio.exe -Value 1 -Force | Out-Null; }
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name WinProj.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name WinProj.exe -Value 1 -Force | Out-Null; }
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name WinWord.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name WinWord.exe -Value 1 -Force | Out-Null; }
If (!(Test-Path("HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"))) { New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" -Force | New-ItemProperty -Name WordPad.exe -Value 1 -Force | Out-Null; } else { Get-Item "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" | New-ItemProperty -Name WordPad.exe -Value 1 -Force | Out-Null; }
Of sla de onderstaande text op in een .reg bestand en dubbelklik erop om het in je register te laden:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION] "Graph.exe"=dword:00000001 "MSAccess.exe"=dword:00000001 "MSPub.exe"=dword:00000001 "PowerPoint.exe"=dword:00000001 "Visio.exe"=dword:00000001 "WinProj.exe"=dword:00000001 "WinWord.exe"=dword:00000001 "WordPad.exe"=dword:00000001