Applies ToWindows 10 Windows 11 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2016 Windows Server 2019 Windows Server 2022

  • Windows 10 for 32-bit Systems

  • Windows 10 for x64-based Systems

  • Windows 10 Version 1607 for 32-bit Systems

  • Windows 10 Version 1607 for x64-based Systems

  • Windows 10 Version 1809 for 32-bit Systems

  • Windows 10 Version 1809 for ARM64-based Systems

  • Windows 10 Version 1809 for x64-based Systems

  • Windows 10 Version 21H2 for 32-bit Systems

  • Windows 10 Version 21H2 for ARM64-based Systems

  • Windows 10 Version 21H2 for x64-based Systems

  • Windows 10 Version 22H2 for 32-bit Systems

  • Windows 10 Version 22H2 for ARM64-based Systems

  • Windows 10 Version 22H2 for x64-based Systems

  • Windows 11 version 21H2 for ARM64-based Systems

  • Windows 11 version 21H2 for x64-based Systems

  • Windows 11 Version 22H2 for ARM64-based Systems

  • Windows 11 Version 22H2 for x64-based Systems

  • Windows Server 2008 for 32-bit Systems Service Pack 2

  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 for x64-based Systems Service Pack 2

  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

  • Windows Server 2012

  • Windows Server 2012 (Server Core installation)

  • Windows Server 2012 R2

  • Windows Server 2012 R2 (Server Core installation)

  • Windows Server 2016

  • Windows Server 2016 (Server Core installation)

  • Windows Server 2019

  • Windows Server 2019 (Server Core installation)

  • Windows Server 2022

  • Windows Server 2022 (Server Core installation)

Summary

Microsoft has released an update to address a vulnerability in the OleConvertOLESTREAMToIStorage and OleConvertOLESTREAMToIStorageEx functions when used in WordPad as described in CVE-2023-36563. Please note that other applications that use these functions might still be at risk.

The OleConvertOLESTREAMToIStorage and OleConvertOLESTREAMToIStorageEx functions are used to convert an OLE object from the OLE 1 storage model (OLESTREAM) to an OLE 2 structured storage object (IStorage).

When there are linked objects in OLESTREAM, these functions might automatically authenticate to the server where the link source is located to get information that is needed for the conversion.

If the OLESTREAM is coming from an untrusted source, such as an RTF document downloaded from the Internet or an RTF-based email message, NTLM credentials of the user might be disclosed to a remote malicious server without the users knowledge.

Applications that use these functions to convert OLESTREAM to IStorage might be at risk. Some examples of these applications are Outlook, Word, and WordPad (through Rich Edit Control that delegates these two functions to convert OLESTREAM contained in RTF).

Mitigate the vulnerability

If you have applications in your environment that are at risk of this vulnerability, follow these steps to mitigate the vulnerability.

  1. Use the following registry subkeys to disable the conversion of linked objects in OLESTREAM with an optional exclusion list of applications.

    WARNING Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    IMPORTANT Creating this subkey is optional. This subkey is not created by the system. If you need to disable conversion of linked objects in OLESTREAM, you must create it.

    Registry path

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ OLELinkConversionFromOLESTREAMToIStorage

    Value name

    Disabled

    Type

    DWORD

    Value data

    0x00000000 or 0x00000001

    Note To enable the conversion of linked objects, use 0x00000000. To disable the conversion of linked objects, use 0x00000001. If the registry subkey is defined in the registry path, this value data must be defined as 0x00000000 or 0x00000001.

    Registry path

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ OLELinkConversionFromOLESTREAMToIStorage

    Value name

    ExclusionList

    Type

    REG_MULTI_SZ

    Value data

    Names of the .exe files of the applications that should be excluded when the value Disabled is set to 0x00000001. The conversion of linked objects in these applications is still enabled even when the value Disabled is set to 0x00000001. You can add applications that you know are safe from this vulnerability to the list. For example, you can add Outlook.exe, Winword.exe, Wordpad.exe. This value is optional.

  2. Take advantage of the new OLE32 APIs and Rich Edit Control messages to resolve the vulnerability in your applications. See details on the APIs and messages in the MSDN documents.

    APIs added

    Two new APIs are added in OLE32 to help developers resolve potential vulnerabilities in their applications:

    These two APIs differ from the original APIs in that the application can pass in an optional value or a callback function.

    The optional value can be used to disable the conversion of any linked object found in the OLESTREAM. For example, the application can use this optional value to disable conversion of linked objects in document preview mode.

    The callback function can query the application if a linked object found in the OLESTREAM should be disabled. The application can use the specific information about the linked object that is passed by the callback function to make a better decision. For example, the application could allow for conversion of a linked object only if its linked file is located on a trusted server.

    Rich Edit Control messages added

    Two new Rich Edit Control messages are added to help developers resolve potential vulnerabilities in their applications that use Rich Edit Control to handle RTF.

    • EM_SETDISABLEOLELINKCONVERSION This message can be used to tell Rich Edit Control to disable conversion of linked objects that is contained in OLESTREAM.

    • EM_SETQUERYCONVERTOLELINKCALLBACK This message can be used to pass a callback function to Rich Edit Control. Rich Edit Control will use the callback function to query the application if a linked object that is contained in OLESTREAM should be converted or not.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders