Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Summary:
Microsoft has revealed a critical, unpatched zero-day vulnerability in Office that could lead to the unauthorized disclosure of sensitive information if successfully exploited. This vulnerability, tracked as CVE-2024-38200 with a CVSS score of 7.5, is classified as a spoofing flaw and impacts multiple versions of Office, including:

  • Microsoft Office 2016 for 32-bit and 64-bit editions
  • Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
  • Microsoft 365 Apps for Enterprise for 32-bit and 64-bit systems
  • Microsoft Office 2019 for 32-bit and 64-bit editions

The flaw was discovered and reported by security researchers Jim Rush and Metin Yunus Kandemir. According to Microsoft's advisory an attacker could host a website or leverage a compromised website that accepts or hosts user-provided content. This site would contain a specially crafted file designed to exploit the vulnerability. However, the attacker cannot force the user to visit the malicious website. Instead, the attacker must lure the user into clicking a link—typically delivered via email or instant messaging—and then convince the user to open the specially crafted file, which would trigger the exploit.

Security Officer Comments:
Microsoft has acknowledged the seriousness of the vulnerability and announced that a formal patch for CVE-2024-38200 will be released on August 13, 2024, as part of its monthly Patch Tuesday updates. In the meantime, the company has identified an alternative fix, which has already been enabled via a process called Feature Flighting as of July 30, 2024. This interim measure provides some level of protection across all in-support versions of Microsoft Office and Microsoft 365.

Suggested Corrections:

  • Configuring the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting provides the ability to allow, block, or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system
  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism
  • Block TCP 445/SMB outbound from the network by using a perimeter firewall, a local firewall, and via VPN settings to prevent the sending of NTLM authentication messages to remote file shares

Link(s):
https://thehackernews.com/2024/08/microsoft-warns-of-unpatched-office.html

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats