Microsoft is working to patch an actively exploited remote code execution (RCE) bug, affecting a range of Windows and Office products, that was used to target attendees at this week’s NATO Summit in Lithuania. The disclosure was part of a busy July Patch Tuesday release for Microsoft that warned of 6 zero-days and 132 flaws.
The intended victims of one of the July RCE bug is believed to be NATO summit attendees sympathetic to Ukraine’s ambitions to join NATO. Those targets, researchers said, were targeted in a spear phishing campaign designed to exploit the Microsoft vulnerability via the malware dubbed RomCom - malicious code that enables an adversary to execute code remotely on targeted systems.
Microsoft said it was still researching the bug, CVE-2023-36884, but indicated it was treating the vulnerability seriously by stating it may take the unusual step of releasing a fix outside its usual monthly patching cycle “depending on customer needs”.
The announcement was made on a busy July Patch Tuesday. On Tuesday Microsoft released fixes for 132 flaws, including four other zero-day bugs that are being actively exploited.
The RCE bug’s NATO connection
BlackBerry’s Threat Research and Intelligence team announced last week it had found two malicious Ukrainian World Congress documents sent as lures to supporters of Ukraine in its war against Russia, along with a document targeting NATO Summit attendees likely to be supportive of Ukraine.
The Blackberry researchers said they believed the threat actor RomCom was likely behind the spear phishing campaign. In a post on Tuesday, Microsoft also attributed the campaign to RomCom, which it tracks as Storm-0978.
“Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022,” Microsoft said in its post.
“The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.”
Immediate mitigation measures
Microsoft said it was continuing to study the RCE vulnerability and would “take the appropriate action to help protect our customers” once its investigation was completed.
“This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” the company said.
In the meantime, Microsoft said customers using its Defender for Office 365 solution could use its ‘Block all Office applications from creating child processes’ rule to protect their systems from attachments that attempted to exploit the vulnerability.
Other organizations could avoid exploitation of the vulnerability by setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key, although Microsoft warned the registry settings could affect the regular functioning of Office applications.
Four other zero-days patched
This month’s Patch Tuesday saw Microsoft release fixes for four other zero-day vulnerabilities that have been actively exploited.
The first was an Outlook security feature bypass vulnerability, CVE-2023-35311, with a CVSS v3 rating of 8.8, that allowed attackers to bypass the Outlook Security Notice prompt.
The second bug was a Windows SmartScreen security feature bypass vulnerability, CVE-2023-32049, also with a CVSS v3 rating of 8.8, that could be exploited to prevent the display of the Open File - Security Warning prompt when downloading and opening files from the Internet.
The third was a platform elevation of privilege vulnerability, CVE-2023-32046, related to MSHTML, a software component used to render web pages in Windows. The bug had a CVSS v3 rating of 7.8.
The final actively exploited bug was a Windows Error Reporting Service elevation of privilege vulnerability, CVE-2023-36874, with a CVSS v3 rating of 7.8, that allowed actors to gain administrator privileges on the targeted device.
Partner accounts suspended
Meanwhile, repeating action it took last year, Microsoft also announced on Tuesday it had suspended the seller accounts of several partners after investigating reports that drivers certified through its Windows Hardware Developer Program were being used maliciously in post-exploitation activity.
“In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers,” the company said.
“We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”