Microsoft has recently revealed a critical zero-day vulnerability in Office that could potentially lead to unauthorized access to sensitive data by threat actors.
Known as CVE-2024-38200 and with a CVSS score of 7.5, the vulnerability is classified as a spoofing flaw affecting various versions of Office, including:
- Microsoft Office 2016 for 32-bit and 64-bit editions
- Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
- Microsoft Office 2019 for 32-bit and 64-bit editions
Credit for discovering and reporting this vulnerability goes to researchers Jim Rush and Metin Yunus Kandemir.
According to Microsoft, the exploit could occur in a web-based attack scenario through a specially crafted file hosted on a website, requiring user interaction by clicking on a link or opening the malicious file.
A fix for CVE-2024-38200 is expected to be included in the upcoming Patch Tuesday updates on August 13, with an interim solution already deployed via Feature Flighting since July 30, 2024.
While current Microsoft Office and Microsoft 365 users are partially protected, it is crucial to apply the final patch for complete security.
Microsoft has categorized this vulnerability as “Exploitation Less Likely” and advised implementing the following mitigation strategy:
- Block TCP 445/SMB outbound traffic using firewalls and VPN settings to prevent NTLM authentication messages from reaching remote file shares
This disclosure follows Microsoft’s efforts to address two other zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) that could potentially bypass security measures and reintroduce old vulnerabilities in Windows systems.
Elastic Security Labs recently shed light on attacker techniques, such as LNK stomping, that can circumvent Windows security controls, highlighting the importance of staying vigilant against evolving threats.