<# .SYNOPSIS This script will set the registry keys required to remediate CVE-2023-36884. Please note that these keys may effect regular functionality of Microsoft Office Products. These changes can be undone with the -Undo parameter or applied only to specific office products using the -OfficeProducts parameter. .DESCRIPTION This script will set the registry keys required to remediate CVE-2023-36884. Please note that these keys may effect regular functionality of Microsoft Office Products. These changes can be undone with the -Undo parameter or applied only to specific office products using the -OfficeProducts parameter. .EXAMPLE (No Parameters) Visio was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\Visio.exe to 1 Success! Word was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\WinWord.exe to 1 Success! Wordpad was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\Wordpad.exe to 1 Success! Project was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\WinProj.exe to 1 Success! PowerPoint was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\PowerPoint.exe to 1 Success! Excel was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\Excel.exe to 1 Success! Publisher was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\MsPub.exe to 1 Success! Graph was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\Graph.exe to 1 Success! Access was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\MSAccess.exe to 1 Success! PARAMETER: -Undo Remove's the registry keys used for this fix (if they're set at all). .EXAMPLE -Undo Visio was selected for remediation. Succesfully removed registry key! Word was selected for remediation. Succesfully removed registry key! Wordpad was selected for remediation. Succesfully removed registry key! Project was selected for remediation. Succesfully removed registry key! PowerPoint was selected for remediation. Succesfully removed registry key! Excel was selected for remediation. Succesfully removed registry key! Publisher was selected for remediation. Succesfully removed registry key! Graph was selected for remediation. Succesfully removed registry key! Access was selected for remediation. Succesfully removed registry key! PARAMETER: -OfficeProducts "Excel,Word" Set's the registry key for only those products. Can be given an individual product or a comma seperated list. Can also be used in combination with the -Undo parameter Ex. "Publisher" or "Word,Excel,Access" .EXAMPLE -OfficeProducts "Excel,Word" Word was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\WinWord.exe to 1 Success! Excel was selected for remediation. Set Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\Excel.exe to 1 Success! .OUTPUTS None .NOTES General notes #> [CmdletBinding()] param ( [Parameter()] [String]$OfficeProducts = "All", [Parameter()] [Switch]$Undo ) begin { # Test's if the script is running in an elevated fashion (required for HKLM edits) function Test-IsElevated { $id = [System.Security.Principal.WindowsIdentity]::GetCurrent() $p = New-Object System.Security.Principal.WindowsPrincipal($id) $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } # This is just to make setting regkey's easier function Set-RegKey { param ( $Path, $Name, $Value, [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")] $PropertyType = "DWord" ) if (-not $(Test-Path -Path $Path)) { # Check if path does not exist and create the path New-Item -Path $Path -Force | Out-Null } if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) { # Update property and print out what it was changed from and changed to $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name try { Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null } catch { Write-Error "[Error] Unable to Set registry key for $Name please see below error!" Write-Error $_ exit 1 } Write-Host "$Path\$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)" } else { # Create property with value try { New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null } catch { Write-Error "[Error] Unable to Set registry key for $Name please see below error!" Write-Error $_ exit 1 } Write-Host "Set $Path\$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)" } } # All the microsoft office products with their corresponding dword value $RemediationValues = @{ "Excel" = "Excel.exe"; "Graph" = "Graph.exe"; "Access" = "MSAccess.exe"; "Publisher" = "MsPub.exe"; "PowerPoint" = "PowerPnt.exe"; "OldPowerPoint" = "PowerPoint.exe" ; "Visio" = "Visio.exe"; "Project" = "WinProj.exe"; "Word" = "WinWord.exe"; "Wordpad" = "Wordpad.exe" } } process { # Error out when not elevated if (-not (Test-IsElevated)) { Write-Error -Message "Access Denied. Please run with Administrator privileges." exit 1 } # If they have a smaller selection we'll want to filter our remediation list if ($OfficeProducts -notlike "All") { $OfficeProducts = $OfficeProducts.split(',') | ForEach-Object { $_.Trim() } $RemediationTargets = $RemediationValues.GetEnumerator() | ForEach-Object { $_ | Where-Object { $OfficeProducts -match $_.Key } } } else { $RemediationTargets = $RemediationValues.GetEnumerator() } # Path to all the registry keys $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" # We'll want to display an error if we don't have anything to do if ($RemediationTargets) { # For Each product we're targeting we'll set the regkey. The Set-RegKey function already checks if it was succesful and will display an error and exit if it fails $RemediationTargets | ForEach-Object { Write-Host "$($_.Name) was selected for remediation." if (-not $Undo) { Set-RegKey -Path $Path -Name $_.Value -Value 1 Write-Host "Success!" } else { # If you only applied it to certain products this will error so instead we'll hide the errors and check afterwards if the registry key is there. Remove-ItemProperty -Path $Path -Name $_.Value -ErrorAction SilentlyContinue | Out-Null if (Get-ItemProperty -Path $Path -Name $_.Value -ErrorAction SilentlyContinue) { Write-Error "[Error] Unable to undo registry key $($_.Value)!" exit 1 } else { Write-Host "Succesfully removed registry key!" } } } Write-Warning "A reboot may be required." exit 0 } else { Write-Host $RemediationTargets Write-Warning "No products were selected! The valid value's for -OfficeProducts is listed below you can also use a comma seperated list or simply put 'All'." $RemediationValues | Sort-Object Name | Format-Table | Out-String | Write-Host Write-Error "ERROR: Nothing to do!" exit 1 } }