Microsoft Alerts on Unfixed Office Weakness Resulting in Data Exposure
Microsoft has revealed an unpatched zero-day in Office that, if exploited successfully, may cause unauthorized disclosure of confidential information to malicious actors.
The weakness, identified as CVE-2024-38200 (CVSS score: 7.5), has been labeled as a trickery flaw affecting the following Office versions –
- Microsoft Office 2016 for 32-bit and 64-bit versions
- Microsoft Office LTSC 2021 for 32-bit and 64-bit versions
- Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
- Microsoft Office 2019 for 32-bit and 64-bit versions
Attributed with uncovering and reporting the weakness are researchers Jim Rush and Metin Yunus Kandemir.
“In a web-based attack scenario, a wrongdoer could host a website (or exploit a compromised website that accepts or hosts user-supplied content) containing a specially crafted file aimed at exploiting the vulnerability,” Microsoft stated in a notice.
“However, a malefactor would lack a method to compel the user to visit the site. Instead, a malefactor would need to persuade the user to click a link, typically using an incentive in an email or Instant Messenger notification, and subsequently to open the specifically crafted file.”
An official fix for CVE-2024-38200 is set to be released on August 13 as part of its monthly Patch Tuesday updates; nevertheless, the technology behemoth mentioned it has identified an alternative solution activated via Feature Flighting since July 30, 2024.
The company also highlighted that while clients are already shielded on all supported Office and Microsoft 365 versions, it’s crucial to update to the final patch version when it’s rolled out in a couple of days for maximum protection.
Microsoft, which has categorized the flaw with a “Low Probability of Exploitation” assessment, has additionally outlined three measures for alleviation –
- Restrict TCP 445/SMB outbound from the network by utilizing a perimeter firewall, a local firewall, and through VPN settings to stop the transmission of NTLM authentication messages to remote file shares
The disclosure coincides with Microsoft declaring its efforts towards addressing two zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) that could be utilized to “unpatch” up-to-date Windows systems and reintroduce old vulnerabilities.
Earlier this week, Elastic Security Labs revealed various tactics that malefactors can employ to run malicious applications without triggering Windows Smart App Control and SmartScreen alerts, including a method known as LNK stomping that has been exploited in the wild for over six years.
About Author
