CVE-2023-36762
📋 TL;DR
CVE-2023-36762 is a remote code execution vulnerability in Microsoft Word that allows attackers to execute arbitrary code on a victim's system by tricking them into opening a specially crafted malicious document. This affects users of Microsoft Word across multiple platforms. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Microsoft Word
- Microsoft Office
- Microsoft 365 Apps
📦 What is this software?
365 Apps by Microsoft
365 Apps by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Word by Microsoft
Word by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data theft, ransomware deployment, and lateral movement across the network.
Likely Case
Malware installation, credential theft, data exfiltration, and persistence establishment on the compromised system.
If Mitigated
Limited impact with proper security controls - potentially blocked by antivirus, application whitelisting, or macro security settings.
🎯 Exploit Status
Requires social engineering to deliver malicious document. User must open the document for exploitation to occur.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific patch versions
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36762
Restart Required: Yes
Instructions:
1. Open Microsoft Word. 2. Go to File > Account > Update Options > Update Now. 3. Restart Word/Office when prompted. 4. For enterprise: Deploy through Microsoft Update, WSUS, or Configuration Manager.
🔧 Temporary Workarounds
Disable automatic document opening
windowsPrevent automatic opening of Word documents from untrusted sources
Set registry key: HKCU\Software\Microsoft\Office\16.0\Word\Security\FileValidation\DisableEditFromPV = 1
Enable Protected View
windowsForce documents from internet sources to open in Protected View
Set registry key: HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV = 0
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized Word execution
- Deploy email filtering to block suspicious attachments and enable macro security policies
🔍 How to Verify
Check if Vulnerable:
Check Word version and compare against patched versions in Microsoft advisoryCheck Version:
In Word: File > Account > About Word (shows version)Verify Fix Applied:
Verify Word version matches patched version from Microsoft Security Update Guide📡 Detection & Monitoring
Log Indicators:
- Unusual Word process spawning child processes
- Word documents from external sources with suspicious content
- Failed macro execution attempts
Network Indicators:
- Outbound connections from Word process to suspicious IPs
- DNS requests for known malicious domains from Office processes
SIEM Query:
Process Creation where (ParentImage contains "WINWORD.EXE" AND CommandLine contains suspicious patterns)