Last Updated on March 22, 2024 by Dave Farquhar
If you need to resolve CVE-2023-33140 OneNote Spoofing remediation, the best way to do it is to uninstall it. Here’s why this is OK to do, and how to do it. Fixing Windows Store vulnerabilities is hard.
Resolve CVE-2023-33140 in OneNote by uninstalling
You can update OneNote from the Windows store, but the best remediation for CVE-2023-33140 in bulk is to uninstall the vulnerable component with a Powershell command. If you use OneNote, you most likely use the version that came from Microsoft Office, not the less powerful one that comes with Windows. The only way to automate updating from the Windows Store is to use winget, and the reports I’m hearing from the field are that winget doesn’t reliably update OneNote.
That leaves uninstalling. Here’s how to uninstall OneNote from an admin powershell prompt:
Get-AppxPackage -Name Microsoft.OneNote -PackageTypeFilter Bundle -AllUsers | Remove-AppxPackage -AllUsers
And then issue this sequence of commands to make it stay gone. Otherwise it comes right back when someone logs onto the machine for the first time.
Get-AppXProvisionedPackage -Online | where DisplayName -EQ “Microsoft.todos” | Remove-AppxProvisionedPackage -Online
$appPath=”$Env:LOCALAPPDATA\Packages\$app*”
Remove-Item $appPath -Recurse -Force -ErrorAction 0
There’s another command floating around but it’s less reliable than the one I gave above, so I strongly recommend using mine.
The Powershell fix takes longer to copy and paste into a command prompt than it takes for it to run. To verify it worked, run this command:
dir “c:\program files\windowsapps\Microsoft.OneNote*”
The result should come up blank.
Sometimes it’s necessary to reinstall OneNote before you can uninstall it cleanly. Here’s a command to do that:
Get-AppxPackage -allusers Microsoft.OneNote | foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
How bad is CVE-2023-33140 OneNote Spoofing?
NVD gives CVE-2023-33140 a CVSSv3 base score of 6.5 on a scale of 1 to 10, giving it a medium severity. Exploits do exist. At the time of this writing, Tenable gave it a VPR score of 4.4,which seems to be driven by the exploit not being in widespread use. The 4.4 score is indicative of a vulnerability that’s exploitable, but not necessarily exploited, at least not commonly. There’s a difference. When I first started researching for this blog post, the VPR score was 5.1.
But sometimes for compliance or contractual reasons you have to have a clean system, or a system with no medium severity or higher vulnerabilities.
Recovering from a failed uninstall
Sometimes if you’ve omitted the -AllUsers option, you lock yourself out from being able to uninstall OneNote. If you’ve tried other instructions online including reinstalling it, and nothing’s working, try creating a new local administrator, then run this command from an administrative PowerShell prompt:
Get-AppxPackage -Name Microsoft.OneNote -PackageTypeFilter Bundle -AllUsers | Remove-AppxPackage -AllUsers
That’s worked for me with reasonable success.
How I fixed error 0x80070002
One time when uninstalling OneNote, I received the error code 0x80080002 with the recommendation I contact the software vendor. Yeah, we’re not gonna do that. Here’s the full text of error 0x80080002 and how I fixed the error.
Remove-AppxPackage : Removal failed. Please contact your software vendor.
Deployment Remove operation with target volume C: on Package
Microsoft.Office.OneNote_16001.14326.21452.0_x64__8wekyb3d8bbwe from: failed with error 0x80070002. See
http://go.microsoft.com/fwlink/?LinkId=235160 for help diagnosing app deployment issues.
At line:1 char:29
+ Get-Appxpackage *OneNote* | Remove-AppxPackage -AllUsers
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Remove-AppxPackage], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.Windows.Appx.PackageManager.Comman
ds.RemoveAppxPackageCommand
When that happened, I was able to fix it with the below command, from an elevated Powershell prompt:
Get-Appxpackage Microsoft.Office.OneNote_16001.14326.21452.0_x64__8wekyb3d8bbwe | Remove-AppxPackage -AllUsers
Note that I copied and pasted the exact text from the italicized text in my error message. Copy the text from yours to make the command work, otherwise you’ll probably get another error.
Other Microsoft Store App vulnerabilities
I’ve written about several Microsoft Store app vulnerabilities. CVE-2023-33140, CVE-2023-36739, and CVE-2023-23378 all have very similar solutions.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.