CVE-2023-36760
📋 TL;DR
CVE-2023-36760 is a use-after-free vulnerability in Microsoft 3D Viewer that allows remote code execution when a user opens a specially crafted malicious 3D file. Attackers can exploit this to execute arbitrary code with the privileges of the current user. This affects users running vulnerable versions of Microsoft 3D Viewer on Windows systems.
💻 Affected Systems
- Microsoft 3D Viewer
📦 What is this software?
3d Viewer by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's machine, enabling data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, credential theft, or persistence mechanisms being established on the compromised system.
If Mitigated
Limited impact due to application sandboxing or restricted user privileges, potentially resulting in application crash rather than full compromise.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious file). The use-after-free condition must be carefully crafted to achieve reliable code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version from Microsoft Store
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36760
Restart Required: No
Instructions:
1. Open Microsoft Store. 2. Click 'Library' in bottom left. 3. Click 'Get updates' to update all apps. 4. Alternatively, search for '3D Viewer' and update directly. 5. Verify 3D Viewer is updated to latest version.
🔧 Temporary Workarounds
Disable 3D Viewer file association
windowsPrevent 3D files from automatically opening in 3D Viewer
Open Settings > Apps > Default apps
Find '.3mf' and other 3D file extensions
Change default app to a different program
Uninstall 3D Viewer
windowsRemove the vulnerable application entirely
Open Settings > Apps > Apps & features
Search for '3D Viewer'
Click 'Uninstall'
🧯 If You Can't Patch
- Implement application whitelisting to block execution of 3D Viewer
- Use email/web filtering to block 3D file attachments and downloads
🔍 How to Verify
Check if Vulnerable:
Check 3D Viewer version in Microsoft Store or via 'Get-AppxPackage Microsoft.3DViewer' in PowerShellCheck Version:
Get-AppxPackage Microsoft.3DViewer | Select VersionVerify Fix Applied:
Verify 3D Viewer shows as updated in Microsoft Store and version matches latest available📡 Detection & Monitoring
Log Indicators:
- Unexpected 3D Viewer process crashes
- Suspicious child processes spawned from 3D Viewer
- Unusual network connections from 3D Viewer process
Network Indicators:
- Downloads of 3D files from untrusted sources
- Outbound connections from 3D Viewer to suspicious IPs
SIEM Query:
Process Creation where Parent Process Name contains '3DViewer' OR File Creation where Process Name contains '3DViewer'