Storm-0978 Mitigation Enable
Enable the mitigation in the registry per CVE-2023-36884 instructions: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
This script is designed to protect your system against the Storm-0978 exploit. If you’re using Microsoft Defender for Office, you’re already safe from harmful attachments that could use this exploit. The script also employs a feature that stops all Office applications from starting up processes that could make your system vulnerable.
However, if you can’t use the above protections, you can still safeguard your system. The script uses a registry key setting, called FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION, to prevent the exploit. You won’t need to restart your whole system, but it’s a good idea to restart any applications that use this registry key just to make sure they’re using the updated, more secure setting.
It’s worth noting that applying these registry settings could potentially disrupt some functionality in your applications. That’s why we recommend testing this out first. If you need to disable this security feature, you can simply delete the registry key or set its value to “0”. See our disable script to automate this process.
Cross-protocol navigation essentially allows a webpage or a document to navigate, or move, from one internet protocol to another. For example, this can occur when a webpage or document using the HTTP protocol navigates to a URL using the FILE protocol.
Blocking cross-protocol navigation can disrupt certain functionalities, such as:
- Opening local or network files: If an online document or website attempts to open a file on your local system or network (e.g., through a file:// URL), this action will be blocked.
- Interacting with other protocols: If a website or document attempts to interact with a non-http or https protocol, like FTP or mailto, these actions could be blocked.
- Embedding content: Websites or documents that rely on embedding content from different protocols may not function correctly. For example, a website using HTTP protocol trying to embed a document from a FILE protocol source may not be able to display the document.
If employed, it is best to have a reminder to remove this when Microsoft releases an expected out-of-band patch later this month.