CVE-2023-36761: 
vulnerability analysis and mitigation

Microsoft Word Information Disclosure Vulnerability (CVE-2023-36761) was disclosed on September 12, 2023. This vulnerability affects various Microsoft Office products including Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Word 2013. The vulnerability has been confirmed to be actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities Catalog (NIST NVD, Hacker News).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-20 (Improper Input Validation). What makes this vulnerability particularly concerning is that exploitation can occur not only when opening a malicious Word document but also during file preview, potentially leading to the disclosure of NTLM (New Technology LAN Manager) hashes (NIST NVD, Hacker News).

The successful exploitation of this vulnerability could lead to the disclosure of NTLM hashes, potentially compromising system security. The vulnerability affects multiple versions of Microsoft Office products, making it a significant threat to organizations using these applications (Hacker News).

Microsoft has released security patches to address this vulnerability. Organizations are advised to apply the vendor-provided mitigations or discontinue use of the product if mitigations are unavailable. CISA has set a due date of October 3, 2023, for federal agencies to apply these mitigations (NIST NVD).