CVE-2023-36584
Published: 10 October 2023
Summary
CVE-2023-36584 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2023-36584 is a security feature bypass vulnerability affecting the Mark of the Web (MOTW) mechanism in Windows. MOTW is a Windows component that tags files originating from the internet and triggers security warnings or protected-view restrictions in applications such as Office and the Edge browser; the flaw allows this tagging and enforcement to be circumvented.
An unauthenticated attacker can exploit the issue over the network by supplying a specially crafted file that requires user interaction, such as opening or saving the file. Successful exploitation results in bypass of MOTW protections, enabling limited integrity and availability impacts without requiring privileges on the target system.
Microsoft has published an advisory and corresponding security update addressing the vulnerability. The flaw is also listed in CISA’s Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
EPSS scores have reached a peak of 0.1852 with a current value of 0.1542, reflecting moderate and sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40529
Vulnerability details
Windows Mark of the Web Security Feature Bypass Vulnerability
- CWE(s)
- KEV Date Added
- 16 November 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the Microsoft security updates that remediate the Mark of the Web bypass in CVE-2023-36584.
Deploys malicious-code detection mechanisms that can block or alert on files exploiting the Mark of the Web bypass before or at execution.
Enforces information-flow policies based on security attributes such as zone identifiers, compensating for the bypassed Mark of the Web marking.