Patch v3 for CVE-2023-36884

1. # Usage example
2.  
3. # Enable Protected View for Word: Toggle-FeatureForApplication -Enable `$true -Feature "ProtectedView" -Application "Word"
4.  
5. # Disable Protected View for All Applications: Toggle-FeatureForApplication -Enable `$false -Feature "ProtectedView" -Application "All"
6.  
7. # Toggle-ActiveXControlsInIE -Enable $true
8.  
9. # Toggle-ActiveXControlsInOffice -Enable $false
10.  
11. # Toggle-CrossProtocolNavigationInIE -Enable $true
12.  
13. # Toggle-ProtectedViewInOffice -Enable $false
14.  
15. # Define the parameters for the script
16. [CmdletBinding()]
17. param (
18.     [Parameter()]
19.     [ValidateSet("Word", "Excel", "PowerPoint", "Outlook", "OneNote", "Access", "Publisher", "Visio", "Project", "All")]
20.     [String]$OfficeProducts = "All",    # Office products to be targeted for remediation
21.     [Parameter()]
22.     [Switch]$Undo                       # Switch to indicate whether to undo the changes
23. )
24.  
25. # Function to check if the script is running with administrator privileges
26. function Test-IsElevated {
27.     $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
28.     $p = New-Object System.Security.Principal.WindowsPrincipal($id)
29.     $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
30. }
31.  
32. # Function to set a registry key with given parameters
33. function Set-RegKey {
34.     param (
35.         $Path,
36.         $Name,
37.         $Value,
38.         [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
39.         $PropertyType = "DWord"
40.     )
41.     # Check if the registry path exists; if not, try to create it
42.     if (-not $(Test-Path -Path $Path)) {
43.         try {
44.             New-Item -Path $Path -Force -ErrorAction Stop | Out-Null
45.         }
46.         catch {
47.             Write-Error "[Error] Unable to create registry path $Path. Please run the script with administrator privileges."
48.             exit 1
49.         }
50.     }
51.  
52.     # Get the current value of the registry key
53.     $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
54.  
55.     try {
56.         # Set the registry key with the provided value
57.         Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
58.     }
59.     catch {
60.         Write-Error "[Error] Unable to set registry key for $Name. Please see the error details below:"
61.         Write-Error $_.Exception.Message
62.         exit 1
63.     }
64.  
65.     # Display the change in the registry key
66.     Write-Host "$Path\$Name changed from $CurrentValue to $Value"
67. }
68.  
69. # Function to remove registry key
70. function Remove-RegKey {
71.     param (
72.         $Path,
73.         $Name
74.     )
75.  
76.     # Remove the registry key
77.     Remove-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue | Out-Null
78.     if (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue) {
79.         Write-Error "[Error] Unable to undo registry key $Name!"
80.         exit 1
81.     }
82.     else {
83.         Write-Host "Successfully removed registry key $Name!"
84.     }
85. }
86.  
87. # Function to perform remediation for specified products
88. function Perform-Remediation {
89.     param (
90.         [HashTable]$RemediationTargets,
91.         [Switch]$Undo
92.     )
93.  
94.     # Define the path to the registry keys
95.     $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"
96.  
97.     # For each product targeted for remediation, set the corresponding registry key
98.     $RemediationTargets.GetEnumerator() | ForEach-Object {
99.         Write-Host "$($_.Name) was selected for remediation."
100.         if (-not $Undo) {
101.             # Apply the remediation by setting the registry key to 1
102.             Set-RegKey -Path $Path -Name $_.Value -Value 1
103.             Write-Host "Success!"
104.         }
105.         else {
106.             # Undo the remediation by removing the registry key
107.             Remove-RegKey -Path $Path -Name $_.Value
108.         }
109.     }
110.  
111.     Write-Warning "A reboot may be required."
112. }
113.  
114. # Main function
115. begin {
116.     # Check if the script is running with administrator privileges
117.     if (-not (Test-IsElevated)) {
118.         Write-Error "Please run the script with administrator privileges."
119.         exit 1
120.     }
121.  
122.     # Define the remediation targets based on the selected Office products
123.     $RemediationValues = @{
124.         "Word" = "WINWORD.EXE";
125.         "Excel" = "EXCEL.EXE";
126.         "PowerPoint" = "POWERPNT.EXE";
127.         "Outlook" = "OUTLOOK.EXE";
128.         "OneNote" = "ONENOTE.EXE";
129.         "Access" = "MSACCESS.EXE";
130.         "Publisher" = "MSPUB.EXE";
131.         "Visio" = "VISIO.EXE";
132.         "Project" = "WINPROJ.EXE";
133.         "All" = "All Products"
134.     }
135.  
136.     $RemediationTargets = @{}
137.     if ($OfficeProducts -ne "All") {
138.         $OfficeProducts = $OfficeProducts.split(',') | ForEach-Object { $_.Trim() }
139.         $RemediationTargets = $RemediationValues.GetEnumerator() | Where-Object { $OfficeProducts -contains $_.Key }
140.     }
141.     else {
142.         $RemediationTargets = $RemediationValues.GetEnumerator()
143.     }
144.  
145.     # Check if there are any products to remediate
146.     if ($RemediationTargets) {
147.         Perform-Remediation -RemediationTargets $RemediationTargets -Undo:$Undo
148.         exit 0
149.     }
150.     else {
151.         # No products were selected for remediation
152.         Write-Warning "No products were selected! The valid values for -OfficeProducts are listed below. You can also use a comma-separated list or simply put 'All'."
153.         $RemediationValues | Sort-Object Name | Format-Table | Out-String | Write-Host
154.         Write-Error "ERROR: Nothing to do!"
155.         exit 1
156.     }
157. }
158.  
159. function Toggle-ActiveXControlsInIE ($Enable) {
160.     $value = if ($Enable) { 0 } else { 1 }
161.     $path = "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext"
162.     Set-RegKey -Path $path -Name "VersionCheckEnabled" -Value $value
163. }
164.  
165. function Toggle-ActiveXControlsInOffice ($Enable) {
166.     $value = if ($Enable) { 1 } else { 0 }
167.     $path = "Registry::HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security"
168.     Set-RegKey -Path $path -Name "UFIControls" -Value $value
169. }
170.  
171. function Toggle-CrossProtocolNavigationInIE ($Enable) {
172.     $value = if ($Enable) { 1 } else { 0 }
173.     $path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"
174.     Set-RegKey -Path $path -Name "*" -Value $value
175. }
176.  
177. function Toggle-ProtectedViewInOffice ($Enable) {
178.     $value = if ($Enable) { 0 } else { 1 }
179.     $path = "Registry::HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<OfficeProduct>\Security\ProtectedView"
180.     Set-RegKey -Path $path -Name "Enable" -Value $value
181. }
182.  
183. function Toggle-FeatureForApplication ($Enable, $Application, $Feature) {
184.     $value = if ($Enable) { 0 } else { 1 }
185.     $path = "Registry::HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<OfficeProduct>\Security\$Feature"
186.     Set-RegKey -Path $path -Name $Application -Value $value
187. }