Summary: Microsoft has disclosed an unpatched zero-day vulnerability in Office (CVE-2024-38200) that could lead to unauthorized disclosure of sensitive information. The flaw affects multiple versions of Microsoft Office and requires user interaction to exploit.
Threat Actor: Malicious actors | malicious actors
Victim: Microsoft Office users | Microsoft Office users
Key Point :
- The vulnerability has a CVSS score of 7.5 and is classified as a spoofing flaw.
- Attackers must convince users to click on a link and open a specially crafted file to exploit the vulnerability.
- Microsoft has provided mitigation strategies, including blocking TCP 445/SMB outbound traffic.
- A formal patch is expected on August 13, 2024, with an alternative fix already enabled.
- This disclosure coincides with Microsoft’s efforts to address two additional zero-day vulnerabilities in Windows systems.
Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors.
The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office –
- Microsoft Office 2016 for 32-bit edition and 64-bit editions
- Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
- Microsoft Office 2019 for 32-bit and 64-bit editions
Credited with discovering and reporting the vulnerability are researchers Jim Rush and Metin Yunus Kandemir.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microsoft said in an advisory.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
A formal patch for CVE-2024-38200 is expected to be shipped on August 13 as part of its monthly Patch Tuesday updates, but the tech giant said it identified an alternative fix that it has enabled via Feature Flighting as of July 30, 2024.
It also noted that while customers are already protected on all in-support versions of Microsoft Office and Microsoft 365, it’s essential to update to the final version of the patch when it becomes available in a couple of days for optimal protection.
Microsoft, which has tagged the flaw with an “Exploitation Less Likely” assessment, has further outlined three mitigation strategies –
- Block TCP 445/SMB outbound from the network by using a perimeter firewall, a local firewall, and via VPN settings to prevent the sending of NTLM authentication messages to remote file shares
The disclosure comes as Microsoft said it’s working on addressing two zero-day flaws (CVE-2024-38202 and CVE-2024-21302) that could be exploited to “unpatch” up-to-date Windows systems and reintroduce old vulnerabilities.
Earlier this week, Elastic Security Labs lifted the lid on a variety of methods that attackers can avail in order to run malicious apps without triggering Windows Smart App Control and SmartScreen warnings, including a technique called LNK stomping that’s been exploited in the wild for over six years.
Source: https://thehackernews.com/2024/08/microsoft-warns-of-unpatched-office.html