Friday, November 10, 2023

Micropatches Released For Microsoft WordPad Information Disclosure (CVE-2023-36563)



October 2023 Windows Updates brought a patch for CVE-2023-36563, an "Information Disclosure" vulnerability in WordPad that was found by Microsoft Threat Intelligence as being exploited in the wild. A better name for this vulnerability would be "Coerced authentication" or "Forced authentication", as it falls in the same class of vulnerabilities as various similar issues that we've patched before.

In any case, the vulnerability allows an attacker to create a Rich Text Format (RTF) document which, when opened by the victim in WordPad*, sends user's NTLM hash to attacker's server - where the attacker can receive it and send it to some other NTLM-enabled service in victim's network to impersonate the victim.

(* WordPad is the default application for RTF files when Office is not installed.)

While WordPad warns the user that the document contains potentially harmful remote content, and the user can choose to block such content, WordPad sends out user's NTLM hash before showing this warning - which is a bit out of order, so to speak.


The Vulnerability and the Official Patch

Two weeks later, security researcher Dillon Franke publish their reverse engineering analysis of this vulnerability. In this article, Dillon describes reverse engineering Microsoft's patch and tracing back to the vulnerability. They not only discovered what the issue was but also that Microsoft created new Windows API functions to fix it: the underlying problem turned out to be systemic, namely that simply initializing an OLE object could result in Windows trying to authenticate to a remote server without any way for the initializing application - or its user - to decide whether they were okay with that. Microsoft therefore created new functions that included this functionality using "callback functions", and fixed WordPad by using these new functions instead of the old ones.

Our Micropatch

As for our patching this issue, we really didn't want to implement new functions in ole32.dll because our thing is, you know, MICROpatching.

Instead, we decided to do something different, something that we thing WordPad should have been doing for years now: we implemented Mark-of-the-Web checking in WordPad.

Mark-of-the-Web (MotW) is a flag that gets set by all major web browsers and mail clients on Windows on all files that originate from the Internet, and allows applications opening such files to alert the user about opening a potentially harmful document. Most major document-handling applications on Windows check the MotW and do something about it, but WordPad never got this feature.

We decided that implementing a MotW check in WordPad would not only provide effectively identical level of protection against the issue at hand as Microsoft's patch, but would also show users a security alert for any other malicious document originating from the Internet. We consider this a good thing.

Let's see our micropatch in action. On the left side of the screen is the victim's computer, vulnerable to CVE-2023-36563, where the user is about to open attacker's RTF document. On the right side is the attacker's server running a tool that is waiting to collect user's NTLM hash. Without 0patch, opening the RTF document results in attacker's server receiving user's NTLM hash even before WordPad shows the security warning. With 0patch, a new "Mark-of-the-Web" warning is shown to the user upon opening the document, and if the user decides not to proceed with opening the document, no NTLM hash is sent to attacker's server.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 10 v21H1 
  2. Windows 10 v20H2
  3. Windows 10 v2004
  4. Windows 10 v1909
  5. Windows 10 v1809
  6. Windows 10 v1803 
  7. Windows 7 (without ESU, with years 1, 2 or 3 of ESU)
  8. Windows Server 2008 R2 (without ESU, with years 1, 2 or 3 of ESU)
Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from, and email for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Dillon Franke for sharing their analysis, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.


No comments:

Post a Comment