CVE-2023-36884 identifies a vulnerability within the processing chain of Microsoft Office files. This weakness exploits the manner in which Office files such as Word (docx/docm), Excel (xlsx/xlsm), or PowerPoint (pptx/pptm) initialize and load certain elements.
Technical Background
Upon startup of an Office document, various elements can already be loaded. An example of this is an external template. However, CVE-2023-36884 exploits the altChunk structure.
The abuse takes place when during the loading of the document, a reference to a subdocument is found (usually named afChunk.rtf or altChunk.rtf, but it may have a different name), and this subdocument is subsequently loaded. This process is designed to facilitate document merging, but it introduces a risk. In the case of CVE-2023-36884, the subdocument contains malicious code that executes on the system. Complicating the issue, the loading and executing of the subdocument remain invisible to the process manager.
All this happens before the main document even becomes visible to the user, even in protected view. This allows an attacker to gain access to the system and take control of the entire computer undetected.
Microsoft’s Stance
Currently, Microsoft advises users to disable certain features related to CVE-2023-36884, as there is yet to be a definitive fix. Regrettably, these recommended actions require complex operations that may impact computer functionality.
Protection with CDR Technology
By utilizing our Content Disarm and Reconstruction (CDR) technology, files infected with the CVE-2023-36884 attack method can safely be opened. CDR ensures that the harmful elements are removed from the file – in the case of CVE-2023-36884, this includes the subdocument and the reference to it. By focusing on preserving clean elements and removing anything that could potentially be harmful, CDR provides protection against this and similar (yet unknown) attacks.
