CVE-2023-23390
📋 TL;DR
CVE-2023-23390 is a heap-based buffer overflow vulnerability in Microsoft 3D Builder that allows remote code execution. Attackers can exploit this by tricking users into opening specially crafted 3D files, potentially gaining full control of the affected system. This affects users running vulnerable versions of 3D Builder on Windows.
💻 Affected Systems
- Microsoft 3D Builder
📦 What is this software?
3d Builder by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining SYSTEM-level privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local user account compromise leading to data exfiltration, credential harvesting, and lateral movement within the network.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash only.
🎯 Exploit Status
Exploitation requires user interaction to open malicious file; no known public exploits as of last update.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest security update from Microsoft
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23390
Restart Required: No
Instructions:
1. Open Windows Settings 2. Navigate to Windows Update 3. Click 'Check for updates' 4. Install all available updates 5. Alternatively, update through Microsoft Store for 3D Builder specifically
🔧 Temporary Workarounds
Disable 3D Builder file associations
windowsPrevent 3D Builder from automatically opening 3D model files
Open Settings > Apps > Default apps > Choose default apps by file type > Remove 3D Builder associations for .3mf, .stl, .obj, .ply, .glb, .gltf files
Uninstall 3D Builder
windowsRemove the vulnerable application entirely
Open PowerShell as Administrator
Get-AppxPackage *3dbuilder* | Remove-AppxPackage
🧯 If You Can't Patch
- Implement application whitelisting to block 3D Builder execution
- Deploy network segmentation to isolate systems running vulnerable software
🔍 How to Verify
Check if Vulnerable:
Check 3D Builder version in Microsoft Store or via PowerShell: Get-AppxPackage *3dbuilder* | Select VersionCheck Version:
Get-AppxPackage *3dbuilder* | Select Name, VersionVerify Fix Applied:
Verify Windows Update history shows recent security updates installed and 3D Builder version is current📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing 3D Builder crashes
- Application logs with heap corruption errors
- Process creation from 3D Builder with suspicious parent-child relationships
Network Indicators:
- Outbound connections from 3D Builder process to unknown external IPs
- DNS queries for command and control domains from system running 3D Builder
SIEM Query:
Process Creation where Image contains '3dbuilder.exe' and CommandLine contains suspicious file extensions (.3mf, .stl, .obj) from untrusted sources