CVE-2023-36897
📋 TL;DR
This vulnerability in Visual Studio Tools for Office Runtime allows attackers to spoof file paths, potentially tricking users into opening malicious files. It affects systems running vulnerable versions of VSTO Runtime. Users who open specially crafted Office documents could be impacted.
💻 Affected Systems
- Microsoft Visual Studio Tools for Office Runtime
📦 What is this software?
365 Apps by Microsoft
365 Apps by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary code with the privileges of the current user, leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Attackers trick users into opening malicious Office documents that appear legitimate, leading to malware installation or credential theft.
If Mitigated
With proper security controls, the impact is limited to user-level actions within sandboxed environments, preventing system-wide compromise.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious document) and social engineering to be effective.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest security update for VSTO Runtime
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36897
Restart Required: Yes
Instructions:
1. Apply the latest Windows Update. 2. Ensure Office updates are installed. 3. Restart affected systems. 4. Verify VSTO Runtime is updated to the patched version.
🔧 Temporary Workarounds
Disable Office Add-ins
windowsTemporarily disable VSTO-based Office add-ins to reduce attack surface
Office settings > Add-ins > Manage COM Add-ins > Uncheck VSTO add-ins
Enable Protected View
windowsForce Office documents from untrusted sources to open in Protected View
File > Options > Trust Center > Trust Center Settings > Protected View > Enable all options
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized executables
- Use network segmentation to isolate vulnerable systems from critical assets
🔍 How to Verify
Check if Vulnerable:
Check VSTO Runtime version in Control Panel > Programs and FeaturesCheck Version:
wmic product where "name like 'Microsoft Visual Studio Tools for Office%'" get versionVerify Fix Applied:
Verify VSTO Runtime version matches patched version from Microsoft advisory📡 Detection & Monitoring
Log Indicators:
- Unusual Office document launches with VSTO components
- Process creation from Office applications to unexpected locations
Network Indicators:
- Office applications making unexpected network connections after document opens
SIEM Query:
source="windows" (process_name="winword.exe" OR process_name="excel.exe" OR process_name="powerpnt.exe") AND process_call_trace="*vsto*" AND file_path="*suspicious*"