Microsoft has unveiled a critical, unresolved zero-day vulnerability within Office, which, if manipulated effectively, might permit unauthorized individuals to access and expose sensitive information.
Designated as CVE-2024-38200 (with a CVSS rating of 7.5), this flaw is categorized as a spoofing vulnerability, affecting the following Office versions:
- Microsoft Office 2016 for both 32-bit and 64-bit editions
- Microsoft Office LTSC 2021 for both 32-bit and 64-bit editions
- Microsoft 365 Apps for Enterprise for both 32-bit and 64-bit systems
- Microsoft Office 2019 for both 32-bit and 64-bit editions
This vulnerability was uncovered and reported by researchers Jim Rush and Metin Yunus Kandemir.
“In a scenario involving a web-based attack, an adversary might host a malicious website (or exploit a compromised website capable of hosting user-uploaded content) containing a specifically designed file intended to take advantage of this vulnerability,” Microsoft disclosed in its advisory.
“However, the attacker cannot force the user to visit the website. Instead, they must entice the user into clicking a link, typically through a phishing attempt via email or an instant messaging service, and subsequently persuade the user to open the crafted file.”
A formal patch for CVE-2024-38200 is anticipated to be released on August 13 as part of Microsoft’s regular Patch Tuesday updates. Nonetheless, the tech conglomerate has indicated that an alternative remedy has been identified and implemented via Feature Flighting as of July 30, 2024.
Moreover, while customers using all supported versions of Microsoft Office and Microsoft 365 are already safeguarded, it is crucial to update to the final patch version once it becomes available for comprehensive protection.
Microsoft, which has assessed the flaw with an “Exploitation Less Likely” classification, has also delineated three mitigation strategies:
- Configuring the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting, which enables the allowance, blocking, or auditing of outgoing NTLM traffic from a Windows 7, Windows Server 2008, or later system to any remote server running Windows.
- Incorporating users into the Protected Users Security Group, which precludes the use of NTLM as an authentication mechanism.
- Blocking TCP 445/SMB outbound traffic from the network by employing perimeter firewalls, local firewalls, and VPN settings to inhibit NTLM authentication messages from being transmitted to remote file shares.
This disclosure coincides with Microsoft’s efforts to address two other zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) that could potentially be exploited to “unpatch” up-to-date Windows systems and reinstate old vulnerabilities.
Earlier this week, Elastic Security Labs revealed several methods that adversaries could exploit to run malicious applications without triggering Windows Smart App Control and SmartScreen alerts, including a technique known as LNK stomping, which has been utilized in the wild for over six years.