CVE-2023-35628
📋 TL;DR
This vulnerability in Windows MSHTML Platform allows remote attackers to execute arbitrary code by tricking users into opening specially crafted files or visiting malicious websites. It affects Windows systems with MSHTML components, primarily through web browsers and Office applications that render HTML content.
💻 Affected Systems
- Windows
- Microsoft Office
- Internet Explorer
- Edge
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Limited user-level compromise through phishing emails or malicious websites, leading to credential theft, lateral movement, or data exfiltration.
If Mitigated
Contained impact with application sandboxing preventing system-wide compromise, though user data may still be at risk.
🎯 Exploit Status
Exploitation requires user interaction but no authentication; likely to be weaponized in phishing campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates from Microsoft (e.g., KB5033372 for December 2023)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35628
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates via Windows Update. 2. For enterprise, deploy patches through WSUS or SCCM. 3. Restart systems after patching.
🔧 Temporary Workarounds
Disable MSHTML in Office
windowsPrevents Office applications from using MSHTML to render web content, reducing attack surface.
Set registry key: HKCU\Software\Microsoft\Office\16.0\Common\Internet\UseWebView2ForHTML to 1
Restrict Internet Explorer
windowsDisable or restrict Internet Explorer usage as it relies heavily on MSHTML.
Use Group Policy: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Disable Internet Explorer
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized executables from running.
- Use network segmentation to isolate vulnerable systems and restrict internet access.
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for missing security updates related to MSHTML or CVE-2023-35628.Check Version:
wmic os get caption, version, buildnumberVerify Fix Applied:
Verify patch installation via 'systeminfo' command or Windows Update history showing KB5033372 or later.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 (process creation) for suspicious processes like mshta.exe, powershell.exe spawning from Office apps
- Office application crashes with MSHTML-related errors
Network Indicators:
- Outbound connections to unknown IPs after opening Office documents or visiting websites
- HTTP requests with unusual User-Agents from Office processes
SIEM Query:
source="windows" event_id=4688 process_name IN ("mshta.exe", "powershell.exe") parent_process_name IN ("winword.exe", "excel.exe", "iexplore.exe")