How is this flagging on assets with CVS version 2 score of 0 and in proof it says excel doesnt exist, visio, word etc???
Is it flagging false positives?
Some of the ones flagging have no MS OFFICE ON THEM
Due to the nature of this unpatched vulnerability at this time, we are flagging as vulnerable if you have not applied the registry keys outlined by Microsoft as a form of mitigation. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
There are other forms of mitigation that are not able to be detected at this time, which means there is a high risk of getting flagged as false positive for this vulnerability. We took the decision that the safer option at this time is to raise this vulnerability, rather than hide it. However, we have also put a risk score of 0 against it so as not to inflate risk scores.
If you are confident that you have successfully mitigated this vulnerability, then you can safely put an exception in place.
Once Microsoft releases a patch for this vulnerability, we will be getting rid of this temporary check, and replace it with a check looking for this patch, which will be required to fully remediate this vulnerability.
2 Likes
You are awesome for putting this information up here so fast. Thank you so much.
Thanks @kevin_mccabe , your posts are super helpful!!
I wanted to mention that MS states in the FAQ that Office365 2302 and later are not affected. Are you able to have the check logic account for this?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
If I’m running Office365 Semi-Annual Channel Extended, am I affected by this vulnerability?
Office365 Semi-Annual Channel Extended (specifically versions 2208 and 2202) are affected. Microsoft 365 Apps Semi-Annual Channel Extended (specifically versions 2208 and 2202) are affected. However, Microsoft 365 Semi-Annual Channel version 2302 (and all later versions) are protected from this vulnerability.. Please see Update history for Microsoft 365 Apps (listed by date) for information about those channels and their versions.
2 Likes
We have noticed that, but are not currently planning to update this temporary check,
It is worth noting that Microsofts language states that this version is “protected from this vulnerability”, which is curiously different language from stating “not affected”. The listed mitigation also make reference to Wordpad, which is a base Windows component.
The current temporary check is essentially functioning as informational, highlighting where there may be risk present.
I am hopeful (but not holding my breath) that Microsoft will release a patch this coming patch Tuesday which should clear everything up. When this happens we will remove this temporary check, and replace it with a fully accurate check taking all this into account according to the guidance provided by Microsoft when they release the patch.
1 Like
We aren’t planning to do anything about it right now (until actual patch is available) as CrowdStrike mitigates it. Might be old news by now, but if you use CS Falcon; “Falcon has detection and prevention logic that targets such behaviors”. https://www.reddit.com/r/crowdstrike/comments/14y1yei/20230712_situational_awareness_microsoft_office/
1 Like
Have you all noticed since the patch came out; admins attempting to patch with the solution but cant because it says its already installed would this be because mitigation was NOT applied? And even on those that dont have any office installed? Or would you suggest false positive case?
1 Like
If you are getting flagged as vulnerable for the “msft-cve-2023-36884-mitigated-registry” vulnerability, then please ensure you have got the latest content release (Thursday August 10) and rescan.
This temporary check has now been removed in favour of a check following Microsofts updated information.
1 Like