Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability - 20231116001¶
Overview¶
This advisory provides detailed information on Microsoft recommended updates to multiple products that maybe vulnerable to Mark of the Web Security feature bypass vulnerability.
What is the vulnerability?¶
CVE-2023-36584 - CVSS v3 Base Score: 5.4
- An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.
What is vulnerable?¶
The vulnerability affects the following products:
| Product | Build Number |
|---|---|
| Windows Server 2012 R2 (Server Core installation) | Prior 6.3.9600.21620 |
| Windows Server 2012 R2 | Prior 6.3.9600.21620 |
| Windows Server 2012 (Server Core installation) | Prior 6.2.9200.24523 |
| Windows Server 2012 | Prior 6.2.9200.24523 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Prior 6.1.7601.26769 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Prior 6.1.7601.26769 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Prior 6.0.6003.22317 |
| Windows Server 2008 for x64-based Systems Service Pack 2 | Prior 6.0.6003.22317 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Prior 6.0.6003.22317 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Prior 6.0.6003.22317 |
| Windows Server 2016 (Server Core installation) | Prior 10.0.14393.6351 |
| Windows Server 2016 | Prior 10.0.14393.6351 |
| Windows 10 Version 1607 for x64-based Systems | Prior 10.0.14393.6351 |
| Windows 10 Version 1607 for 32-bit Systems | Prior 10.0.14393.6351 |
| Windows 10 for x64-based Systems | Prior 10.0.10240.20232 |
| Windows 10 for 32-bit Systems | Prior 10.0.10240.20232 |
| Windows 10 Version 22H2 for 32-bit Systems | Prior 10.0.19045.3570 |
| Windows 10 Version 22H2 for ARM64-based Systems | Prior 10.0.19045.3570 |
| Windows 10 Version 22H2 for x64-based Systems | Prior 10.0.19045.3570 |
| Windows 11 Version 22H2 for x64-based Systems | Prior 10.0.22621.2428 |
| Windows 11 Version 22H2 for ARM64-based Systems | Prior 10.0.22621.2428 |
| Windows 10 Version 21H2 for x64-based Systems | Prior 10.0.19041.3570 |
| Windows 10 Version 21H2 for ARM64-based Systems | Prior 10.0.19041.3570 |
| Windows 10 Version 21H2 for 32-bit Systems | Prior 10.0.19041.3570 |
| Windows 11 version 21H2 for ARM64-based Systems | Prior 10.0.22000.2538 |
| Windows 11 version 21H2 for x64-based Systems | Prior 10.0.22000.2538 |
| Windows Server 2022 (Server Core installation) | Prior 10.0.20348.2031 |
| Windows Server 2022 | Prior 10.0.20348.2031 |
| Windows Server 2019 (Server Core installation) | Prior 10.0.17763.4974 |
| Windows Server 2019 | Prior 10.0.17763.4974 |
| Windows 10 Version 1809 for ARM64-based Systems | Prior 10.0.17763.4974 |
| Windows 10 Version 1809 for x64-based Systems | Prior 10.0.17763.4974 |
| Windows 10 Version 1809 for 32-bit Systems | Prior 10.0.17763.4974 |
What has been observed?¶
There is evidence of active exploitation and the vulnerability was added to the CISA Known Exploited Vulnerabilities Catalog on 2023-11-16.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 2 weeks (refer Patch Management):
| Product | Impact | Max Severity | Article | Download | Build Number |
|---|---|---|---|---|---|
| Windows Server 2012 R2 (Server Core installation) | Security Feature Bypass | Important | 5031419 | Monthly Rollup | 6.3.9600.21620 |
| Windows Server 2012 R2 (Server Core installation) | Security Feature Bypass | Important | 5031407 | Security Only | 6.3.9600.21620 |
| Windows Server 2012 R2 | Security Feature Bypass | Important | 5031419 | Monthly Rollup | 6.3.9600.21620 |
| Windows Server 2012 R2 | Security Feature Bypass | Important | 5031407 | Security Only | 6.3.9600.21620 |
| Windows Server 2012 (Server Core installation) | Security Feature Bypass | Important | 5031442 | Monthly Rollup | 6.2.9200.24523 |
| Windows Server 2012 (Server Core installation) | Security Feature Bypass | Important | 5031427 | Security Only | 6.2.9200.24523 |
| Windows Server 2012 | Security Feature Bypass | Important | 5031442 | Monthly Rollup | 6.2.9200.24523 |
| Windows Server 2012 | Security Feature Bypass | Important | 5031427 | Security Only | 6.2.9200.24523 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Security Feature Bypass | Important | 5031408 | Monthly Rollup | 6.1.7601.26769 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Security Feature Bypass | Important | 5031441 | Security Only | 6.1.7601.26769 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Security Feature Bypass | Important | 5031408 | Monthly Rollup | 6.1.7601.26769 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Security Feature Bypass | Important | 5031441 | Security Only | 6.1.7601.26769 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | 5031416 | Monthly Rollup | 6.0.6003.22317 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | 5031411 | Security Only | 6.0.6003.22317 |
| Windows Server 2008 for x64-based Systems Service Pack 2 | Security Feature Bypass | Important | 5031416 | Monthly Rollup | 6.0.6003.22317 |
| Windows Server 2008 for x64-based Systems Service Pack 2 | Security Feature Bypass | Important | 5031411 | Security Only | 6.0.6003.22317 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | 5031416 | Monthly Rollup | 6.0.6003.22317 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | 5031411 | Security Only | 6.0.6003.22317 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Security Feature Bypass | Important | 5031416 | Monthly Rollup | 6.0.6003.22317 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Security Feature Bypass | Important | 5031411 | Security Only | 6.0.6003.22317 |
| Windows Server 2016 (Server Core installation) | Security Feature Bypass | Important | 5031362 | Security Update | 10.0.14393.6351 |
| Windows Server 2016 | Security Feature Bypass | Important | 5031362 | Security Update | 10.0.14393.6351 |
| Windows 10 Version 1607 for x64-based Systems | Security Feature Bypass | Important | 5031362 | Security Update | 10.0.14393.6351 |
| Windows 10 Version 1607 for 32-bit Systems | Security Feature Bypass | Important | 5031362 | Security Update | 10.0.14393.6351 |
| Windows 10 for x64-based Systems | Security Feature Bypass | Important | 5031377 | Security Update | 10.0.10240.20232 |
| Windows 10 for 32-bit Systems | Security Feature Bypass | Important | 5031377 | Security Update | 10.0.10240.20232 |
| Windows 10 Version 22H2 for 32-bit Systems | Security Feature Bypass | Important | 5031356 | Security Update | 10.0.19045.3570 |
| Windows 10 Version 22H2 for ARM64-based Systems | Security Feature Bypass | Important | 5031356 | Security Update | 10.0.19045.3570 |
| Windows 10 Version 22H2 for x64-based Systems | Security Feature Bypass | Important | 5031356 | Security Update | 10.0.19045.3570 |
| Windows 11 Version 22H2 for x64-based Systems | Security Feature Bypass | Important | 5031354 | Security Update | 10.0.22621.2428 |
| Windows 11 Version 22H2 for ARM64-based Systems | Security Feature Bypass | Important | 5031354 | Security Update | 10.0.22621.2428 |
| Windows 10 Version 21H2 for x64-based Systems | Security Feature Bypass | Important | 5031356 | Security Update | 10.0.19041.3570 |
| Windows 10 Version 21H2 for ARM64-based Systems | Security Feature Bypass | Important | 5031356 | Security Update | 10.0.19041.3570 |
| Windows 10 Version 21H2 for 32-bit Systems | Security Feature Bypass | Important | 5031356 | Security Update | 10.0.19041.3570 |
| Windows 11 version 21H2 for ARM64-based Systems | Security Feature Bypass | Important | 5031358 | Security Update | 10.0.22000.2538 |
| Windows 11 version 21H2 for x64-based Systems | Security Feature Bypass | Important | 5031358 | Security Update | 10.0.22000.2538 |
| Windows Server 2022 (Server Core installation) | Security Feature Bypass | Important | 5031364 | Security Update | 10.0.20348.2031 |
| Windows Server 2022 | Security Feature Bypass | Important | 5031364 | Security Update | 10.0.20348.2031 |
| Windows Server 2019 (Server Core installation) | Security Feature Bypass | Important | 5031361 | Security Update | 10.0.17763.4974 |
| Windows Server 2019 | Security Feature Bypass | Important | 5031361 | Security Update | 10.0.17763.4974 |
| Windows 10 Version 1809 for ARM64-based Systems | Security Feature Bypass | Important | 5031361 | Security Update | 10.0.17763.4974 |
| Windows 10 Version 1809 for x64-based Systems | Security Feature Bypass | Important | 5031361 | Security Update | 10.0.17763.4974 |
| Windows 10 Version 1809 for 32-bit Systems | Security Feature Bypass | Important | 5031361 | Security Update | 10.0.17763.4974 |