CVE-2023-36584
published 2023-10-10CVE-2023-36584: Windows Mark of the Web Security Feature Bypass Vulnerability
PriorityP279medium5.4CVSS 3.1
AVNACLPRNUIRSUCNILAL
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-12-07
Exploited in the wild
EPSS
3.06%
85.9th percentile
Windows Mark of the Web Security Feature Bypass Vulnerability
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1507 | < 10.0.10240.20232 | 10.0.10240.20232 |
| microsoft | windows_10_1809 | < 10.0.17763.4974 | 10.0.17763.4974 |
| microsoft | windows_10_21h1 | < 10.0.19041.3570 | 10.0.19041.3570 |
| microsoft | windows_10_22h2 | < 10.0.19041.3570 | 10.0.19041.3570 |
| microsoft | windows_10_version_1507 | >= 10.0.10240.0 < 10.0.10240.20232 | 10.0.10240.20232 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.6351 | 10.0.14393.6351 |
| microsoft | windows_10_version_1809 | >= 10.0.0 < 10.0.17763.4974 | 10.0.17763.4974 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.4974 | 10.0.17763.4974 |
| microsoft | windows_10_version_21h2 | >= 10.0.19043.0 < 10.0.19041.3570 | 10.0.19041.3570 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.3570 | 10.0.19045.3570 |
| microsoft | windows_11_21h2 | < 10.0.22000.2538 | 10.0.22000.2538 |
| microsoft | windows_11_22h2 | < 10.0.22621.2428 | 10.0.22621.2428 |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.2538 | 10.0.22000.2538 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.2428 | 10.0.22621.2428 |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.1.7601.0 < 6.1.7601.26769 | 6.1.7601.26769 |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.6003.0 < 6.0.6003.22317 | 6.0.6003.22317 |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.24523 | 6.2.9200.24523 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.21620 | 6.3.9600.21620 |
| microsoft | windows_server_2016 | < 10.0.14393.6351 | 10.0.14393.6351 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.6351 | 10.0.14393.6351 |
| microsoft | windows_server_2019 | < 10.0.17763.4974 | 10.0.17763.4974 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.4974 | 10.0.17763.4974 |
| microsoft | windows_server_2022 | < 10.0.20348.2031 | 10.0.20348.2031 |
Detection & IOCsextracted from sources · hover to see the quote
urlhxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx↗
- →The malicious .docx uses an altChunk element in word/document.xml to import an embedded RTF file (word/afchunk.rtf) containing malicious OLE objects — inspect DOCX archives for altChunk references pointing to internal RTF files. ↗
- →The embedded RTF uses OLE autolink (objautlink) with objupdate to force object updates before display, triggering outbound SMB connections that leak NTLM credentials — detect objautlink+objupdate combinations in RTF files. ↗
- →The OLE object class is Word.Document.8 with a LinkedObject structure pointing to an attacker-controlled SMB share — monitor for Word.Document.8 OLE objects referencing external UNC paths in RTF files. ↗
- →A second OLE object uses the xmlfile class with an EmbeddedObject structure containing a URLMoniker to load a remote XML file over HTTP — detect xmlfile-class OLE objects with URLMoniker structures in RTF documents. ↗
- →The attack leaks victim NTLM credentials via an outbound SMB connection to the attacker-controlled server at 104.234.239[.]26 — monitor for unexpected outbound SMB (port 445) connections to external IPs from Office processes. ↗
- ·Microsoft's own advisory rates the exploit likelihood as 'Exploitation Less Likely' and records no public disclosure or confirmed exploitation, which may affect prioritization decisions despite CISA KEV listing. ↗
- ·The MotW bypass only succeeds when the Word document is NOT tagged with MotW, which disables Protected View — detections relying solely on MotW tagging will not catch this exploit. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
vulncheck7.5HIGH
cisa5.4MEDIUM
vendor_msrc5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-frhq-jq5j-7w9c: Windows Mark of the Web Security Feature Bypass Vulnerability
ghsa_unreviewed·2023-10-10
CVE-2023-36584 [MEDIUM] GHSA-frhq-jq5j-7w9c: Windows Mark of the Web Security Feature Bypass Vulnerability
Windows Mark of the Web Security Feature Bypass Vulnerability
VulnCheck
Microsoft Windows Search Remote Code Execution Vulnerability
vulncheck·2023·CVSS 7.5
CVE-2023-36884 [HIGH] CWE-362 Microsoft Windows Search Remote Code Execution Vulnerability
Microsoft Windows Search Remote Code Execution Vulnerability
Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2023-Jul; https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/; https://unit42.paloaltonetworks.com/cve-2023-3688
VulnCheck
Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
vulncheck·2023·CVSS 5.4
CVE-2023-36584 [MEDIUM] Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://assets.beyondtrust.com/assets/documents/BT_whitepaper_Microsoft-Vulnerabilities-Report-2024.pdf
Remediation Due: 2023-12-07
CISA
Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
cisa·2023-11-16·CVSS 5.4
CVE-2023-36584 [MEDIUM] Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
Vulnerability: Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
Affected: Microsoft Windows
Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36584 ; https://nvd.nist.gov/vuln/detail/CVE-2023-36584
Remediation Due Date: 2023-12-07
Microsoft
Windows Mark of the Web Security Feature Bypass Vulnerability
vendor_msrc·2023-10-10·CVSS 5.4
CVE-2023-36584 [MEDIUM] Windows Mark of the Web Security Feature Bypass Vulnerability
Windows Mark of the Web Security Feature Bypass Vulnerability
FAQ: How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker could host a file on an attacker-controlled server, then convince a targeted user to download and open the file. This could allow the attacker to interfere with the Mark of the Web functionality.
Please see Additional information about Mark of the Web for further clarification
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L) and some loss of availability (A:L). What does that mean for this vulnerability?
An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of securi
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA warns of actively exploited Windows, Sophos, and Oracle bugs
blogs_bleepingcomputer·2023-11-17·CVSS 9.8
[CRITICAL] CISA warns of actively exploited Windows, Sophos, and Oracle bugs
## CISA warns of actively exploited Windows, Sophos, and Oracle bugs
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency has added to its catalog of known exploited vulnerabilities (KEV) three security issues that affect Microsoft devices, a Sophos product, and an enterprise solution from Oracle.
The KEV catalog contains flaws confirmed to be exploited by hackers in attacks and serves as a repository for vulnerabilities that companies all over should treat with priority.
The agency is urging federal agencies to apply available security updates for the three issues before December 7. The three vulnerabilities are tracked as follows:
CVE-2023-36584 – "Mark of the Web" (MotW) security feature bypass on Microsoft Windows.
CVE-2023-1671 – Command injection vulnerability
Unit42
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
blogs_unit42·2023-11-13·CVSS 5.4
CVE-2023-36584 [MEDIUM] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
## Executive Summary
During our analysis of a July 2023 campaign targeting groups supporting Ukraine's admission into NATO, we discovered a new vulnerability for bypassing Microsoft's Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in reference to their use of the RomCom backdoor). This group used a highly complex and well-developed exploit chain leveraging a remote code execution (RCE) vulnerability in Microsoft Office designated CVE-2023-36884 to infect its targets with malware.
Our investigation revealed a new exploit method related to CVE-2023-36884 that can bypass MotW. Microsoft awarded our team a bug bounty and assigned CVE-2023-36584 (CVSS score 5) to this
Unit42
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
blogs_unit42·2023-11-13·CVSS 5.4
CVE-2023-36884 [MEDIUM] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
Threat Research Center
Threat Research
Vulnerabilities
## In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
Eli Birkan
Dan Yashnik
Oriel Cochavi
Bar Lahav
Mike Harbison
Published: November 13, 2023
Malware
Threat Research
Vulnerabilities
CVE-2023-36584
CVE-2023-36884
Exploit
Microsoft Office
Microsoft Vulnerability
Remote Code Execution
RomCom
Storm-0978
Ukraine
## Executive Summary
During our analysis of a July 2023 campaign targeting groups supporting Ukraine's admission into NATO, we discovered a new vulnerability for bypassing Microsoft's Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in referenc
Trendmicro
The October 2023 Security Update Review
blogs_trendmicro·2023-10-10
The October 2023 Security Update Review
# The October 2023 Security Update Review
Get the October 2023 security update and review.
By: Dustin Childs
2023/10/10
Read time: ( words)
Save to Folio
Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.
Adobe Patches for October 2023
For October, Adobe released three bulletins addressing 13 CVEs in Ado
Bleepingcomputer
Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws
blogs_bleepingcomputer·2023-10-10·CVSS 5.3
CVE-2023-5346 [MEDIUM] Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws
## Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws
## Lawrence Abrams
26 Elevation of Privilege Vulnerabilities
3 Security Feature Bypass Vulnerabilities
45 Remote Code Execution Vulnerabilities
12 Information Disclosure Vulnerabilities
17 Denial of Service Vulnerabilities
1 Spoofing Vulnerabilities
The total count of 104 flaws does not include one Chromium vulnerability tracked as CVE-2023-5346, which was fixed by Google on October 3rd and ported to Microsoft Edge.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5031354 cumulative update and Windows 10 KB5031356 cumulative update .
## Three actively exploited zero-day vulnerabilities
This month's Patch Tuesday fixes three zero-day vulne
Trendmicro
The October 2023 Security Update Review
blogs_trendmicro·2023-10-10·CVSS 6.5
[MEDIUM] The October 2023 Security Update Review
## The October 2023 Security Update Review
Get the October 2023 security update and review.
By: Dustin Childs Oct 10, 2023 Read time: ( words)
Save to Folio
Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2023-36563
Microsoft WordPad Information
Trendmicro
The October 2023 Security Update Review
blogs_trendmicro·2023-10-10·CVSS 6.5
[MEDIUM] The October 2023 Security Update Review
## The October 2023 Security Update Review
Get the October 2023 security update and review.
By: Dustin Childs 2023/10/10 Read time: ( words)
Save to Folio
Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2023-36563
Microsoft WordPad Information Di
2023-10-10
Published
2023-11-16
Added to CISA KEV
Exploited in the wild