Microsoft disclosed an unpatched zero-day vulnerability in multiple Windows and Office products that has been actively exploited in the wild. The issue, tracked as CVE-2023-36884, was exploited by nation-state actors and cybercriminals to gain remote code execution via malicious Office documents.
The IT giant is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. The company revealed that it is aware of high-targeted attacks that attempt to exploit these issues through specially-crafted Office documents.
“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.” reads the advisory published by Microsoft. “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
Microsoft is working to address the vulnerability, experts pointed out that it can be fixed by an out-of-band patch that can be released before August Patch Tuesday.
Microsoft announced in a separate post, the identification of a phishing campaign conducted by the Russian cybercrime group Storm-0978 (aka DEV-0978 and RomCom) and aimed at defense and government entities in Europe and North America. The threat actors were observed exploiting the flaw CVE-2023-36884 using lures related to the Ukrainian World Congress.
“Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.” reads the post.
Microsoft provided the following mitigations for the unpatched zero-day:
(SecurityAffairs – hacking, Microsoft)