CVE-2023-36045: 
vulnerability analysis and mitigation

Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2023-36045) was disclosed on November 14, 2023. This vulnerability affects multiple Microsoft Office products including Microsoft 365 Apps Enterprise (x64/x86), Office 2019 (x64/x86), and Office Long Term Servicing Channel 2021 (x64/x86/macOS) (NVD).

The vulnerability exists within the parsing of FBX files and stems from improper validation of user-supplied data, which can result in a memory corruption condition. It has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Microsoft has classified this as an Untrusted Pointer Dereference (CWE-822) vulnerability (ZDI, NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process, potentially leading to full system compromise with the same privileges as the victim user. The vulnerability requires user interaction, specifically opening a malicious file or visiting a malicious page (ZDI).

Microsoft has released security updates to address this vulnerability. Users are advised to apply the latest security updates through the Microsoft Update mechanism (MSRC).