Windows - Security - Mitigate Office & Windows HTML RCE Vulnerability ( CVE-2023-36884 )

What the CVE-2023-36884 RCE Worklet does

This Automox Worklet™ mitigates CVE-2023-36884, a critical remote code execution vulnerability that affects Windows endpoints running Microsoft Office applications. The Worklet modifies the Windows registry to block cross-protocol file navigation, preventing attackers from weaponizing malicious Office documents to execute arbitrary code.

Specifically, the Worklet targets the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key under Internet Explorer security policies. By setting this key to 1 for nine critical Office applications (Excel, Word, Access, PowerPoint, Visio, Project, Publisher, Graph, and WordPad), the Worklet prevents attackers from chaining HTML-based exploits with Office features to gain code execution.

The Worklet includes a revert parameter that allows you to undo changes if necessary. This capability is essential for rollback scenarios where you need to recover from unforeseen compatibility issues.

Why block cross-protocol file navigation in Office

CVE-2023-36884 exploits a design flaw in how Windows and Office handle file navigation across different protocols. An attacker can craft a malicious Office document that references a remote HTML file via cross-protocol navigation. The HTML file exploits a Windows vulnerability, giving the attacker code execution within the context of the Office application. This attack bypasses many traditional security measures because the malicious code runs with the privileges of the logged-in user.

By blocking cross-protocol file navigation, you eliminate this entire attack vector. Endpoints become resistant to CVE-2023-36884 exploitation immediately, without waiting for all users to install Windows security updates. This is particularly valuable in large environments where patch deployment takes time or where you need to protect against zero-day variants of this vulnerability.

The registry modification affects user experience minimally. Most legitimate workflows do not require cross-protocol file navigation in Office. This makes the Worklet a low-risk, high-impact security control that reduces your organization's attack surface significantly.

How cross-protocol blocking works

1. Evaluation phase: The Worklet connects to the Windows registry and checks the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key under HKLM:SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl. It verifies that the key exists and that all nine Office application properties (Excel.exe, WinWord.exe, MSAccess.exe, Powerpnt.exe, Visio.exe, WinProj.exe, MSPub.exe, Graph.exe, and Wordpad.exe) are set to value 1. If the key does not exist or any property is missing or set to a different value, the evaluation fails and remediation is triggered.

2. Remediation phase: The Worklet creates the registry key if it does not exist, then sets all nine Office application properties to value 1. Each property assignment is logged for troubleshooting and audit purposes. If the revert parameter is enabled, the Worklet sets properties to 0 instead, undoing the mitigation on demand.

CVE-2023-36884 mitigation requirements

• Windows 10 or Windows 11 endpoints

• Windows Server 2016 or later

• Administrator or system-level privileges to modify HKLM registry

• FixNow compatible (RunNow and AVR supported for immediate execution)

• Supported on both 32-bit and 64-bit Windows architectures

Expected registry security state

After the Worklet completes successfully, the cross-protocol navigation block is active on all covered Office applications. Endpoints cannot exploit CVE-2023-36884 through this vector. You will see registry entries in Event Viewer logs documenting the registry changes, and you can verify the configuration by checking the registry key HKLM:SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION in regedit.exe.

Important: This Worklet can affect functionality in rare scenarios where Office applications legitimately need to reference remote HTML resources via cross-protocol navigation. Test thoroughly in a pilot group before broad deployment. If users experience unexpected behavior after this Worklet runs, you can revert the changes by running the Worklet again with the revert parameter set to true.

How to validate mitigate office & windows html rce vulnerability ( cve-2023-36884 ) changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for mitigate office & windows html rce vulnerability ( cve-2023-36884 ).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Write-Verbose.

4. Validate remediation effects from script operations such as Write-Verbose, Write-Output, then rerun evaluation for compliance.