Microsoft has disclosed an unpatched zero-day vulnerability in Office that, if successfully exploited, could result in the unauthorized disclosure of sensitive information to malicious actors.
Tracked as CVE-2024-38200 (CVSS score: 7.5), the vulnerability is described as an impersonation flaw affecting the following Office versions:
– Microsoft Office 2016 for 32-bit and 64-bit editions
– Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
– Microsoft 365 Apps for Enterprise for 32-bit and 64-bit systems
– Microsoft Office 2019 for 32-bit and 64-bit editions.
The discovery and reporting of the vulnerability have been credited to researchers Jim Rush and Metin Yunus Kandemir.
«In a web-based attack scenario, an attacker could host a website (or exploit a compromised website that accepts or hosts user-provided content) containing a specially crafted file to exploit the vulnerability,» said Microsoft in an advisory. «However, an attacker would have no way to force a user to visit the website. Instead, an attacker would need to convince the user to click on a link, typically through an enticement in an email or instant message, and then convince the user to open the specially crafted file.»
A formal patch for CVE-2024-38200 is expected to be rolled out on August 13 as part of Patch Tuesday monthly updates, but the tech giant stated that it has identified a workaround that has been enabled through Feature Flighting as of July 30, 2024.
It also noted that while customers are already protected across all supported versions of Microsoft Office and Microsoft 365, updating to the final patch version when it becomes available in a couple of days is essential for optimal protection.
Microsoft, which has labeled the flaw with a «Less Likely to Exploit» assessment, has outlined three mitigation strategies:
– Configuring the «Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers» policy setting provides the ability to allow, block, or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system
– Adding users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism
– Blocking outgoing TCP 445/SMB from the network using a perimeter firewall, local firewall, and VPN settings to prevent the transmission of NTLM authentication messages to remote file shares.
The disclosure comes at a time when Microsoft has indicated that it’s working on addressing two zero-day flaws (CVE-2024-38202 and CVE-2024-21302) that could be exploited to «unpatch» updated Windows systems and reintroduce old vulnerabilities.
Earlier this week, Elastic Security Labs uncovered a variety of methods that attackers can use to run malicious applications without triggering SmartScreen and Smart App Control warnings in Windows, including a technique called LNK stomping that has been exploited in the wild for over six years.
Vía The Hacker News
