📄 Description (English)
Microsoft Windows Search Remote Code Execution Vulnerability — Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.
🤖 AI Executive Summary
CVE-2023-36884 is a critical remote code execution vulnerability in Microsoft Windows Search that allows attackers to bypass Mark of the Web (MOTW) security defenses through specially crafted malicious files. With a CVSS score of 9.0 and confirmed exploit availability in the wild, this vulnerability has been actively weaponized by threat actors including the Russian-linked RomCom/Storm-0978 group in targeted campaigns. The vulnerability poses an immediate and severe risk to organizations as it can be triggered without requiring elevated privileges, enabling full system compromise. Saudi organizations running Windows environments must treat this as an emergency patching priority given the active exploitation status.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 17, 2026 09:38
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations face elevated risk given the widespread deployment of Windows environments across all critical sectors. Banking and financial institutions regulated by SAMA are at high risk as threat actors have used this vulnerability in financially motivated campaigns targeting wire transfer systems and sensitive financial data. Government entities under NCA oversight running Windows-based infrastructure face espionage and data exfiltration risks, particularly given the geopolitical targeting patterns of Storm-0978. Saudi Aramco and energy sector organizations are prime targets due to their strategic value, and a successful exploit could enable lateral movement into OT/ICS-adjacent networks. Telecom providers such as STC face risk of customer data compromise and network infrastructure disruption. Healthcare organizations using Windows-based medical systems and patient record platforms are also vulnerable. The active exploitation by nation-state actors makes this particularly concerning for Saudi Vision 2030 digital transformation projects and smart city initiatives like NEOM.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Telecom
Healthcare
Defense
Critical Infrastructure
Education
Retail
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (0-24 hours):
1. Apply Microsoft's official patch released in August 2023 Patch Tuesday (KB5029263 and related updates) immediately across all Windows endpoints and servers.
2. Isolate any systems showing indicators of compromise (IOCs) associated with RomCom/Storm-0978 campaigns.
3. Block execution of Office applications from spawning child processes using Attack Surface Reduction (ASR) rules.
4. Enable the following ASR rule: 'Block all Office applications from creating child processes' (GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A).
PATCHING GUIDANCE:
5. Prioritize patching in this order: Internet-facing systems, domain controllers, executive workstations, financial systems, then general endpoints.
6. Apply KB5029263 for Windows 10/11 and corresponding Server updates via WSUS or SCCM.
7. Verify patch deployment using: wmic qfe list | findstr KB5029263
COMPENSATING CONTROLS (if patching is delayed):
8. Add the following registry key to disable the SEARCH-MS protocol handler: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search-ms — set to empty or delete.
9. Restrict outbound SMB traffic (port 445) at the perimeter firewall to prevent NTLM relay attacks.
10. Deploy Microsoft Defender with cloud-delivered protection enabled and set to 'Block' mode.
11. Enable Protected View and Application Guard for Microsoft Office.
12. Block .search-ms and .searchConnector-ms file extensions at email gateways and web proxies.
DETECTION RULES:
13. Monitor for suspicious child processes spawned by explorer.exe or Office applications.
14. Alert on search-ms:// URI scheme invocations from Office documents or browsers.
15. SIEM rule: Alert on Windows Event ID 4688 where parent process is winword.exe/excel.exe and child process is cmd.exe/powershell.exe/wscript.exe.
16. Hunt for LOLBins (living-off-the-land binaries) executed post-document-open events.
17. Monitor network traffic for outbound connections to known RomCom C2 infrastructure using threat intelligence feeds.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 0-24 ساعة):
1. تطبيق التحديث الرسمي من مايكروسوفت الصادر في أغسطس 2023 (KB5029263 والتحديثات المرتبطة) فوراً على جميع أجهزة Windows والخوادم.
2. عزل أي أنظمة تُظهر مؤشرات اختراق مرتبطة بحملات RomCom/Storm-0978.
3. منع تطبيقات Office من إنشاء عمليات فرعية باستخدام قواعد تقليل سطح الهجوم (ASR).
4. تفعيل قاعدة ASR التالية: 'Block all Office applications from creating child processes' (GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A).
إرشادات التصحيح:
5. تحديد أولويات التصحيح بالترتيب التالي: الأنظمة المكشوفة على الإنترنت، وحدات التحكم بالنطاق، محطات عمل المسؤولين التنفيذيين، الأنظمة المالية، ثم نقاط النهاية العامة.
6. تطبيق KB5029263 لأنظمة Windows 10/11 والتحديثات المقابلة للخوادم عبر WSUS أو SCCM.
7. التحقق من نشر التحديث باستخدام: wmic qfe list | findstr KB5029263
ضوابط التعويض (في حال تأخر التصحيح):
8. إضافة مفتاح التسجيل التالي لتعطيل معالج بروتوكول SEARCH-MS: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search-ms.
9. تقييد حركة مرور SMB الصادرة (المنفذ 445) على جدار الحماية الخارجي لمنع هجمات NTLM relay.
10. نشر Microsoft Defender مع تفعيل الحماية السحابية وضبطها على وضع 'الحظر'.
11. تفعيل Protected View وApplication Guard لتطبيقات Microsoft Office.
12. حظر امتدادات الملفات .search-ms و.searchConnector-ms على بوابات البريد الإلكتروني والوكلاء.
قواعد الكشف:
13. مراقبة العمليات الفرعية المشبوهة التي تنشئها explorer.exe أو تطبيقات Office.
14. التنبيه على استدعاءات مخطط URI الخاص بـ search-ms:// من مستندات Office أو المتصفحات.
15. قاعدة SIEM: التنبيه على معرف حدث Windows 4688 حيث تكون العملية الأصلية winword.exe/excel.exe والعملية الفرعية cmd.exe/powershell.exe/wscript.exe.
16. البحث عن LOLBins المنفذة بعد أحداث فتح المستندات.
17. مراقبة حركة الشبكة للاتصالات الصادرة إلى بنية C2 المعروفة لـ RomCom باستخدام موجزات استخبارات التهديدات.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Patch and vulnerability management — critical patches must be applied within defined SLAs
ECC-2-3-1: Malware protection and endpoint security controls
ECC-2-5-1: Email and web filtering to block malicious file delivery vectors
ECC-2-6-1: Network security controls including protocol restriction
ECC-3-3-2: Security monitoring and detection of anomalous process execution
ECC-1-3-1: Asset management and exposure reduction for internet-facing systems
🔵 SAMA CSF
Cybersecurity Operations — Vulnerability Management: Timely remediation of critical CVEs
Cybersecurity Operations — Threat Intelligence: Integration of IOCs from active exploitation campaigns
Cybersecurity Operations — Security Monitoring and Analytics: Detection of MOTW bypass and RCE indicators
Cybersecurity Resilience — Incident Management: Response procedures for active exploitation
Cybersecurity Architecture — Endpoint Security: ASR rules and application control enforcement
Third-Party Cybersecurity: Ensuring vendor and supply chain systems are patched
🟡 ISO 27001:2022
A.8.8 — Management of technical vulnerabilities: Timely identification and remediation
A.8.7 — Protection against malware: Endpoint protection and file type controls
A.8.20 — Networks security: Restricting SMB and unnecessary protocols
A.8.16 — Monitoring activities: Detection of suspicious process execution chains
A.5.25 — Assessment and decision on information security events
A.8.19 — Installation of software on operational systems: Controlled patching procedures
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components are protected from known vulnerabilities by installing applicable security patches
Requirement 5.2 — Malicious software (malware) is prevented, or detected and addressed
Requirement 10.7 — Failures of critical security controls are detected and reported
Requirement 12.3.2 — Targeted risk analysis for critical vulnerability remediation timelines
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Windows