Microsoft has made public zero-day vulnerability in Office that has not been patched, and if it is successfully exploited, it could enable malicious actors to gain unauthorized access to sensitive information.
The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office –
Microsoft Office 2016 for 32-bit edition and 64-bit editions
Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
Microsoft Office 2019 for 32-bit and 64-bit editions
The vulnerability was discovered and reported by researchers Jim Rush and Metin Yunus Kandemir.
“In a web-based attack situation, an attacker could have a site (or leverage a compromised site that acknowledges or hosts user-provided content) that contains an exceptionally created record that is intended to take advantage of the vulnerability” Microsoft said in a warning.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
A proper patch for CVE-2024-38200 is supposed to be sent on August 13 as a component of its month to month Patch Tuesday updates, however the tech tech giant said it identified an alternative fix that it has enabled via Feature Flighting as of July 30, 2024.
It also said that although customers are protected on all in-support versions of Microsoft Office and Microsoft 365, they must upgrade to the final patch in a few days for optimal protection.
Microsoft, which has labeled the flaw with an “Exploitation Less Likely” assessment, has further outlined three mitigation strategies –
Configuring the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting allows a computer running Windows 7, Windows Server 2008, or later to allow, block, or audit outgoing NTLM traffic to any Windows-based remote server.
Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism
Block TCP 445/SMB outbound from the network by utilizing a border firewall, a local firewall, and through VPN settings to forestall the sending of NTLM verification messages to remote document shares
The disclosure comes as Microsoft said it’s working on addressing two zero-day flaws (CVE-2024-38202 and CVE-2024-21302) that could be taken advantage of to “unpatch” up-to-date Windows systems and reintroduce old vulnerabilities.
Recently, Elastic Security Labs lifted the lid on various strategies that attackers can profit to run malicious applications without setting off Windows Smart Application Control and SmartScreen alerts, including a method called LNK stomping that has been exploited in the wild for over six years.
