Last Updated on March 22, 2024 by Dave Farquhar
If you’re dealing with CVE-2023-36739, CVE-2023-36740, and CVE-2023-36760 Microsoft 3D Viewer Code Execution remediation, the best way to do it, assuming you’re not using the app, is to uninstall it. Here’s why this is OK to do, and how to do it. Fixing Windows Store vulnerabilities is hard. And Microsoft 3D Viewer has a history of high severity vulnerabilities dating back to October 2020, so uninstalling it can save you future remediation work.
I get a fair number of questions about vulnerabilities in Microsoft Store apps in my day job, so I share my notes and observations in case they’ll help other people as well.
Resolve CVE-2023-36739, CVE-2023-36740 and CVE-2023-36760 in Microsoft 3D Viewer by uninstalling
The best way to fix CVE-2023-36739, CVE-2023-36740, and CVE-2023-36760 is to uninstall Microsoft 3D Viewer with a PowerShell command.
You can update Microsoft 3D Viewer from the Windows store. But the best remediation for CVE-2023-36739, CVE-2023-36740, and CVE-2023-36760 in bulk is to uninstall the vulnerable app with a Powershell command. If you use Microsoft 3D Viewer, there’s nothing wrong with updating it, but you have to remember to do it. The only way to automate updating from the Windows Store is to use winget, and the reports I’m hearing from the field are that winget doesn’t reliably update Microsoft 3D Viewer.
That leaves uninstalling. Here’s how to uninstall Microsoft 3D Viewer from an admin powershell prompt:
Get-AppxPackage -Name Microsoft.Microsoft3DViewer -PackageTypeFilter Bundle -AllUsers | Remove-AppxPackage -AllUsers
And then issue this sequence of commands to make it stay gone. Otherwise it comes right back when someone logs onto the machine for the first time.
Get-AppXProvisionedPackage -Online | where DisplayName -EQ “Microsoft.todos” | Remove-AppxProvisionedPackage -Online
$appPath=”$Env:LOCALAPPDATA\Packages\$app*”
Remove-Item $appPath -Recurse -Force -ErrorAction 0
There’s another command floating around but it’s less reliable than the one I gave above, so I strongly recommend using mine.
The Powershell fix takes longer to copy and paste into a command prompt than it takes for it to run. To verify it worked, run this command:
dir “c:\program files\windowsapps\Microsoft.Microsoft3DViewer*”
The result should come up blank.
Sometimes it’s necessary to reinstall Microsoft 3D Viewer before you can uninstall it cleanly. Here’s a command to do that:
Get-AppxPackage -allusers Microsoft.Microsoft3DViewer | foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
How bad is CVE-2023-36739, CVE-2023-36740, CVE-2023-36760 Microsoft 3D Viewer remote code execution?
NVD gives CVE-2023-36739 a CVSSv3 base score of 7.8 on a scale of 1 to 10, giving it high severity. The highest possible severity on the CVE scale is Critical, and each of this trio of CVEs falls short of that.
At the time of this writing, Tenable gave it a VPR score of 6.7, largely because no known exploits exist yet. A score of 6.7 indicates a medium risk. The 6.7 score is indicative of a vulnerability that attackers haven’t given up on yet, but when the VPR score is lower than the CVSS score, that’s an indication of an overrated vulnerability. I recommend prioritizing your VPR 9s and higher, and once you fix those, move down to your 7s and higher. Note that SANS’ vulnerability management maturity model recommends prioritizing with threat intelligence rather than severity or severity combined with exploitability. Tenable VPR uses approximately 150 threat intelligence attributes from multiple sources in its calculations.
But sometimes for compliance or contractual reasons you have to have a clean system, or a system with no medium severity or higher vulnerabilities. I recommend handling those on a case-by-case basis, especially when it comes to vulnerabilities like this one.
Recovering from a failed uninstall
Sometimes if you’ve omitted the -AllUsers option, you lock yourself out from being able to uninstall Microsoft 3DViewer. If you’ve tried other instructions online including reinstalling it, and nothing’s working, try creating a new local administrator, then run this command from an administrative PowerShell prompt:
Get-AppxPackage -Name Microsoft.Microsoft3DViewer -PackageTypeFilter Bundle -AllUsers | Remove-AppxPackage -AllUsers
That’s worked for me with reasonable success.
Fixing error 0x80070002
In the event that you receive the error code 0x80080002 with the recommendation you contact the software vendor, you have other options. You can fix it by running a command from an elevated Powershell prompt:
Get-Appxpackage Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe | Remove-AppxPackage -AllUsers
Be sure to copy and paste the exact text of the full package name, including the version number and the weird code at the end, from your error message, and substitute it for the italicized text in the command from mine. Otherwise you’ll probably get another error.
Do I need Microsoft 3D Viewer?
If you’re asking the question, probably not. If you actually use the Microsoft 3D Viewer app, you’d probably know it. It’s easy enough to reinstall from the Microsoft Store if you ever find yourself needing it, so it’s generally safe to uninstall.
If you want more certainty, look for event ID 4688 in the computer’s event log or, better yet, in your SIEM, if you’re collecting event ID 4688. It’s a noisy event code but it’s valuable to threat hunters and high-achieving vulnerability analysts. Note that Windows truncates logs once they reach a certain size, so looking in the local logs will only tell you if someone used it recently.
At any rate, the key is looking for the text “3DViewer.exe” in the field labeled ProcessName. You can search the local event log with the following Powershell command:
Get-WinEvent -FilterHashtable @{
LogName = ‘Security’
ID = 4688
} | Select-Object TimeCreated,@{name=’NewProcessName’;expression={ $_.Properties[5].Value }}, @{name=’CommandLine’;expression={ $_.Properties[8].Value }}
Is Microsoft 3D Viewer bloatware?
It’s only bloatware if you don’t use it. That said, 3D Viewer is one of those apps that if you don’t ever remember using it, there’s a good chance you don’t need it.
Other Microsoft Store App vulnerabilities
I’ve written about several Microsoft Store app vulnerabilities. CVE-2023-33140, CVE-2023-36739, and CVE-2023-23378 all have very similar solutions.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.