CVE-2023-29335
📋 TL;DR
CVE-2023-29335 is a security feature bypass vulnerability in Microsoft Word that allows attackers to circumvent security protections and potentially execute malicious code. This affects users of Microsoft Word who open specially crafted documents. The vulnerability requires user interaction to trigger.
💻 Affected Systems
- Microsoft Word
- Microsoft Office
📦 What is this software?
365 Apps by Microsoft
Office by Microsoft
Office by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Word by Microsoft
Word by Microsoft
Word by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker could bypass security features to execute arbitrary code with the privileges of the current user, potentially leading to full system compromise.
Likely Case
Attackers bypass security warnings to deliver malware via malicious Word documents, leading to initial access and potential data theft.
If Mitigated
With proper controls, the impact is limited to the user context with no privilege escalation beyond the current user's permissions.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious document. No public exploit code is available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2023 security updates for Microsoft Office
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29335
Restart Required: Yes
Instructions:
1. Open Microsoft Word. 2. Go to File > Account > Update Options > Update Now. 3. Alternatively, use Windows Update to install the May 2023 security updates for Office. 4. Restart the system after installation.
🔧 Temporary Workarounds
Block Office macros from the internet
windowsConfigure Office to block macros from the internet, which can prevent execution of malicious content.
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security" -Name "BlockInternetMacros" -Value 1 -Type DWord
Use Microsoft Office Viewer
windowsUse Microsoft Office Viewer to open documents instead of the full Office application.
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized Office document execution
- Use email filtering to block suspicious Office attachments and educate users about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check Office version in Word via File > Account > About Word. If version is older than May 2023 updates, it's vulnerable.Check Version:
powershell "Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' | Select-Object VersionToReport"Verify Fix Applied:
Verify Office version is updated to May 2023 or later via File > Account > About Word.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Word crashes or suspicious macro execution
- Office telemetry showing document opening with unusual features
Network Indicators:
- Unusual outbound connections from Office processes after document opening
- Downloads of Office documents from suspicious sources
SIEM Query:
EventID=1 AND (Image LIKE '%WINWORD.EXE%' OR ParentImage LIKE '%WINWORD.EXE%') AND CommandLine CONTAINS '.doc'