CVE-2023-36884

[Mohsen Ghaffari 0]

Hello,

Microsoft has issued an advisory regarding the following 0day https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36884

Currently no patches are available and Microsoft mentions that windows defender for office can block the exploit. 

any eset update on the issue? are eset customers protected? 

Thank you!

 

[Peter Randziak 1,014]

Hello @Mohsen Ghaffari,

we have a detections in place for payloads used in exploitation of this vulnerability.

Peter

[itman 1,595]

I will also note if Eset recommended anti-ransoware HIPS rules are deployed in regards to MS Office apps, this vulnerability can't be exploited;

Quote

In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited

https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

Edited July 14 by itman

[StevenShark 0]

On 7/14/2023 at 9:30 PM, Peter Randziak said:

Hello @Mohsen Ghaffari,

we have a detections in place for payloads used in exploitation of this vulnerability.

Peter

Hi @Peter Randziak, can you please share a link to confirm that this vulnerability is covered by ESET?

Thank you

[Marcos 4,841]

ESET detects the payloads depending on their variants. The detections are:

- variant of Win32/Exploit.CVE-2017-0199 (document payloads)

- variants of Win64/Agent (RomCom backdoor)

- variants of Python/Impacket (Impacket framework)

- variants of Win32/Exploit.CVE-2017-0199 (XML payloads)