Last Updated on March 22, 2024 by Dave Farquhar
The official fix for CVE-2023-23378 is to install 3D Builder from the Microsoft App Store, as Microsoft deprecated Print3D. A better, more scalable fix is to uninstall the vulnerable component with a Powershell command.
I get a fair number of questions about vulnerabilities in Microsoft Store apps in my day job, so I share my notes and observations in case they’ll help other people as well.
Resolve CVE-2023-23378 in Microsoft Print3D by uninstalling
Print3D is deprecated, so the official fix is to upgrade to Microsoft 3D Builder from the Windows store. But the best remediation for CVE-2023-23378 in bulk is to uninstall the vulnerable app with a Powershell command. If you use Microsoft Print3D, there’s nothing wrong with upgrading to 3D Builder, but you have to remember to do it. Otherwise, all you’re doing is increasing your attack surface without gaining productivity from it.
The only way to automate updating from the Windows Store is to use winget, and the reports I’m hearing from the field are that winget doesn’t reliably upgrade to Microsoft 3D Builder.
That leaves uninstalling. Here’s how to uninstall Microsoft Print3D from an admin powershell prompt:
Get-AppxPackage -Name Microsoft.Print3D -PackageTypeFilter Bundle -AllUsers | Remove-AppxPackage -AllUsers
And then issue this sequence of commands to make it stay gone. Otherwise it comes right back when someone logs onto the machine for the first time.
Get-AppXProvisionedPackage -Online | where DisplayName -EQ “Microsoft.todos” | Remove-AppxProvisionedPackage -Online
$appPath=”$Env:LOCALAPPDATA\Packages\$app*”
Remove-Item $appPath -Recurse -Force -ErrorAction 0
There’s another command floating around but it’s less reliable than the one I gave above, so I strongly recommend using mine.
The Powershell fix takes longer to copy and paste into a command prompt than it takes for it to run. To verify it worked, run this command:
dir “c:\program files\windowsapps\Microsoft.Print3D*”
The result should come up blank.
Sometimes it’s necessary to reinstall Microsoft 3D Viewer before you can uninstall it cleanly. Here’s a command to do that:
Get-AppxPackage -allusers Microsoft.Microsoft3DViewer | foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
How bad is CVE-2023-23378 Microsoft Print3D remote code execution?
NVD gives CVE-2023-36739 a CVSSv3 base score of 7.8 on a scale of 1 to 10, giving it high severity. The highest possible severity on the CVE scale is Critical, and each of this trio of CVEs falls short of that.
At the time of this writing, Tenable gave it a VPR score of 7.4. Exploits exist, but a score of 7.4 suggests those exploits aren’t in widespread use. There’s a difference between exploitable and exploited. When the VPR score is lower than the CVSS score, that’s an indication of an overrated vulnerability.
I recommend prioritizing your VPR 9s and higher, and once you fix those, move down to your 7s and higher. Note that SANS’ vulnerability management maturity model recommends prioritizing with threat intelligence rather than severity or severity combined with exploitability. Tenable VPR uses approximately 150 threat intelligence attributes from multiple sources in its calculations.
Also, sometimes for compliance or contractual reasons you have to have a clean system, or a system with no medium severity or higher vulnerabilities. So this is a good one to get rid of, though it’s more work than a conventional, straightforward Windows update.
Recovering from a failed uninstall
Sometimes if you’ve omitted the -AllUsers option, you lock yourself out from being able to uninstall Microsoft 3DViewer. If you’ve tried other instructions online including reinstalling it, and nothing’s working, try creating a new local administrator, then run this command from an administrative PowerShell prompt:
Get-AppxPackage -Name Microsoft.Print3D -PackageTypeFilter Bundle -AllUsers | Remove-AppxPackage -AllUsers
That’s worked for me with reasonable success.
Fixing error 0x80070002
In the event that you receive the error code 0x80080002 with the recommendation you contact the software vendor, you have other options. You can fix it by running a command from an elevated Powershell prompt:
Get-Appxpackage Microsoft.Print3D_3.3.791.0_x64__8wekyb3d8bbwe | Remove-AppxPackage -AllUsers
Be sure to copy and paste the exact text of the full package name, including the version number and the weird code at the end, from your error message, and substitute it for the italicized text in the command from mine. Otherwise you’ll probably get another error.
Do I need Microsoft Print3D?
If you’re asking the question, probably not. If you actually use the Microsoft Print3D app, you’d probably know it. It’s easy enough to install 3D Builder from the Microsoft Store if you ever find yourself needing the functionality, so it’s generally safe to uninstall.
If you want more certainty, look for event ID 4688 in the computer’s event log or, better yet, in your SIEM, if you’re collecting event ID 4688. It’s a noisy event code but it’s valuable to threat hunters and high-achieving vulnerability analysts. Note that Windows truncates logs once they reach a certain size, so looking in the local logs will only tell you if someone used it recently.
At any rate, the key is looking for the text “Print3D.exe” in the field labeled ProcessName. You can search the local event log with the following Powershell command:
Get-WinEvent -FilterHashtable @{
LogName = ‘Security’
ID = 4688
} | Select-Object TimeCreated,@{name=’NewProcessName’;expression={ $_.Properties[5].Value }}, @{name=’CommandLine’;expression={ $_.Properties[8].Value }}
Is Microsoft Print3D bloatware?
Arguably it is, given that Print3D is deprecated and was rarely used in the first place. If you don’t ever remember using it, there’s a good chance you don’t need it.
Other Microsoft Store App vulnerabilities
I’ve written about several Microsoft Store app vulnerabilities. CVE-2023-33140, CVE-2023-36739, and CVE-2023-23378 all have very similar solutions.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.