CVE-2023-36563: 
vulnerability analysis and mitigation

Microsoft WordPad Information Disclosure Vulnerability (CVE-2023-36563) was discovered by Microsoft Threat Intelligence and publicly disclosed on October 10, 2023. The vulnerability affects various versions of Windows operating systems and specifically impacts the OleConvertOLESTREAMToIStorage and OleConvertOLESTREAMToIStorageEx functions when used in WordPad (NVD, Help Net Security).

The vulnerability exists in the OLE object conversion process where the OleConvertOLESTREAMToIStorage and OleConvertOLESTREAMToIStorageEx functions are used to convert an OLE object from OLE 1 storage model to OLE 2 structured storage object. When linked objects are present in OLESTREAM, these functions may automatically authenticate to the server where the link source is located, potentially exposing user credentials. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) by NIST and 6.5 (Medium) by Microsoft (Microsoft Support).

If successfully exploited, the vulnerability could lead to the disclosure of NTLM credentials (encrypted user passwords on Windows systems) to a remote malicious server without the user's knowledge. This vulnerability affects applications that use these functions to convert OLESTREAM to IStorage, including Outlook, Word, and WordPad through Rich Edit Control (Help Net Security).

Microsoft has released security updates to address this vulnerability. Additionally, administrators can mitigate the risk by using registry modifications to disable the conversion of linked objects in OLESTREAM with an optional exclusion list of applications. It's also recommended to block outbound NTLM over SMB on Windows 11 to hamper NTLM-relay exploits. New OLE32 APIs (OleConvertOLESTREAMToIStorage2 and OleConvertOLESTREAMToIStorageEx2) have been added to help developers resolve potential vulnerabilities in their applications (Microsoft Support).