Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save MHaggis/22ad19081300493e70ce0b873e98b2d0 to your computer and use it in GitHub Desktop.
Save MHaggis/22ad19081300493e70ce0b873e98b2d0 to your computer and use it in GitHub Desktop.

Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

MS Documentation for the referenced registry settings:

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"
$applications = @("Excel.exe", "Graph.exe", "MSAccess.exe", "MSPub.exe", "PowerPnt.exe", "Visio.exe", "WinProj.exe", "WinWord.exe", "Wordpad.exe")

if (!(Test-Path -Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
}
foreach ($app in $applications) {
    Set-ItemProperty -Path $registryPath -Name $app -Value 1 -Type DWord
}
@johnmccash
Copy link

MS Documentation for the referenced registry settings:
[(https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/general-info/ee330731(v=vs.85)#file-protocol-navigation)]

@h3nk13t
Copy link

h3nk13t commented Jul 14, 2023

great! What about teams.exe?

@h3nk13t
Copy link

h3nk13t commented Jul 14, 2023

Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
Add the following application names to this registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
Powerpnt.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

@atc0005
Copy link

atc0005 commented Jul 17, 2023

@MHaggis

Looks like there is a typo in the list of application exe names.

Per https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884, the PowerPoint.exe filename should instead be Powerpnt.exe:

-PowerPoint.exe
+Powerpnt.exe

@MHaggis
Copy link
Author

MHaggis commented Jul 17, 2023

Thank you, @atc0005 ! Updated.

@flokflok
Copy link

Do you know of a way to verify whether this setting is actually working, e.g. using a test document?
A simple word document containing a URL to file:///C:/Windows/System32/calc.exe, downloaded from the internet, doesn't seem to do the trick. calc.exe is still executed in spite of the registry setting (after clicking on "Enable editing" of course, and after two more confirmation dialogs).

Thanks!

@FreeJAC
Copy link

FreeJAC commented Jul 18, 2023

I too am looking for a quick easy way to test this. I tried a shared .xlsm doc from onedrive and was able to execute a macro that had a child ping child process from explorer.exe and it was not blocked like I anticipated it would be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment