CVE-2023-28287
📋 TL;DR
CVE-2023-28287 is a use-after-free vulnerability in Microsoft Publisher that allows remote code execution when a user opens a specially crafted Publisher file. Attackers can exploit this to execute arbitrary code with the privileges of the current user. This affects users of Microsoft Publisher on Windows systems.
💻 Affected Systems
- Microsoft Publisher
📦 What is this software?
365 Apps by Microsoft
Office by Microsoft
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Publisher by Microsoft
Publisher by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, credential theft, or data exfiltration from the compromised system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting the Publisher application itself.
🎯 Exploit Status
Requires user interaction to open malicious Publisher file. No known public exploits as of last update.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security Update for Microsoft Publisher - April 11, 2023
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28287
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available updates. 4. Restart computer if prompted. For enterprise: Deploy through WSUS, Microsoft Endpoint Configuration Manager, or Microsoft Intune.
🔧 Temporary Workarounds
Disable Publisher file opening
windowsPrevent Publisher files from opening by default to block exploitation vector
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pub" /v "Application" /t REG_SZ /d "" /f
Block Publisher file extensions
allPrevent malicious Publisher files from reaching users via email
🧯 If You Can't Patch
- Restrict Publisher file execution through application control policies
- Implement network segmentation to limit lateral movement from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check Publisher version: Open Publisher > File > Account > About Publisher. If version is before April 2023 updates, system is vulnerable.Check Version:
wmic product where "name like '%Publisher%'" get versionVerify Fix Applied:
Verify Windows Update history shows April 2023 security updates installed for Microsoft Publisher.📡 Detection & Monitoring
Log Indicators:
- Publisher crash logs with memory access violations
- Unexpected Publisher process spawning child processes
- Publisher opening files from unusual locations
Network Indicators:
- Publisher process making unexpected outbound connections
- DNS requests for suspicious domains from Publisher process
SIEM Query:
EventID=1 AND ParentImage="*publisher.exe" AND CommandLine="*powershell*" OR CommandLine="*cmd*"