CVE-2023-28285
📋 TL;DR
CVE-2023-28285 is a use-after-free vulnerability in Microsoft Office that allows remote code execution when a user opens a specially crafted malicious document. Attackers can exploit this to execute arbitrary code with the privileges of the current user. All users running affected Microsoft Office versions are vulnerable.
💻 Affected Systems
- Microsoft Office
- Microsoft 365 Apps
- Microsoft Office LTSC 2021
- Microsoft Office 2019
- Microsoft Office 2016
📦 What is this software?
365 Apps by Microsoft
Office by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Malware installation, credential theft, and data exfiltration through malicious Office documents delivered via phishing or compromised websites.
If Mitigated
Limited impact with proper application control policies, macro restrictions, and user training preventing malicious document execution.
🎯 Exploit Status
Exploit requires user interaction to open malicious document. Multiple proof-of-concept exploits are publicly available, and active exploitation has been observed in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in May 2023 (e.g., Version 2305 Build 16.0.16501.20074 for Microsoft 365)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28285
Restart Required: Yes
Instructions:
1. Open any Office application. 2. Go to File > Account > Update Options > Update Now. 3. For enterprise deployments, deploy the May 2023 security updates through Microsoft Update, WSUS, or Configuration Manager.
🔧 Temporary Workarounds
Block Office file types via Group Policy
windowsPrevent execution of potentially malicious Office documents by blocking specific file extensions
Use Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies
Enable Attack Surface Reduction rules
windowsUse Microsoft Defender Attack Surface Reduction to block Office from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
🧯 If You Can't Patch
- Implement application control policies to allow only trusted Office applications
- Disable all Office macros and implement user training about not opening untrusted documents
🔍 How to Verify
Check if Vulnerable:
Check Office version in any Office app: File > Account > About [Application]. Compare against patched versions from Microsoft advisory.Check Version:
In PowerShell: Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Office*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Verify Office version is at or above the patched version listed in Microsoft's security update. Check Windows Update history for May 2023 Office security updates.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Office application crashes, suspicious child process creation from Office apps
- Microsoft Defender alerts for Office exploitation
Network Indicators:
- Unusual outbound connections from Office processes
- Downloads of Office documents from suspicious sources
SIEM Query:
source="Windows Security" EventID=4688 ParentProcessName="WINWORD.EXE" OR ParentProcessName="EXCEL.EXE" OR ParentProcessName="POWERPNT.EXE"🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28285
- http://packetstormsecurity.com/files/173127/Microsoft-Office-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/173140/Microsoft-365-MSO-2305-Build-16.0.16501.20074-Remote-Code-Execution.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28285
