Exploit:Win32/CVE-2023-38831

Guidance for individual users

Keep your operating system and antivirus products up to date. Ensure that WinRAR software is updated (WinRAR versions before 6.23 are affected). The patch addresses CVE-2023-38831 and how affected archives might be used to distribute malware.

It is crucial to exercise caution when dealing with archive files such as those in ZIP format. Avoid opening archives from untrusted sources to minimize the risk of encountering malicious content.

For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.

Guidance for enterprise administrators

Following the mitigation steps below can help prevent exploits:

• Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown variants.
• Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
• Invest in advanced, anti-phishing solutions that monitor incoming emails and visited websites. Microsoft Defender for Office 365 brings together incident and alert management across email, devices, and identities, centralizing investigations for threats in email. Organizations can also leverage web browsers that automatically identify and block malicious websites, including those used in this phishing campaign.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.