Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could lead to the unauthorized disclosure of sensitive information to attackers.
The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office –
- Microsoft Office 2016 for 32-bit and 64-bit versions
- Microsoft Office LTSC 2021 for 32-bit and 64-bit
- Microsoft 365 apps for business for 32-bit and 64-bit systems
- Microsoft Office 2019 for 32-bit and 64-bit versions
Researchers Jim Rush and Metin Yunus Kandemir are credited with discovering and reporting the vulnerability.
“In a web-based attack scenario, an attacker could host a website (or use a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability,” Microsoft. said in the consulting room.
“However, there would be no way for an attacker to force a user to visit a website. Instead, an attacker would have to convince the user to click on a link, typically through a lure in an email or Instant Messenger message, and then convince the user to open a specially crafted file.”
The official patch for CVE-2024-38200 is expected to ship on August 13 as part of its monthly Update Tuesday, but the tech giant said it has identified an alternative fix that it has included via Feature Flighting as of July 30, 2024.
It also notes that while customers are already protected in all supported versions of Microsoft Office and Microsoft 365, it is critical to update to the final version of the patch when it becomes available in a few days for optimal protection.
Microsoft, which listed the flaw as “Least Likely to Exploit,” outlined three mitigation strategies:
- Block outbound TCP 445/SMB from the network using a perimeter firewall, local firewall, and VPN settings to prevent NTLM authentication messages from being sent to remote shares
Disclosures are made as Microsoft said it works to address two zero-day flaws (CVE-2024-38202 and CVE-2024-21302) that can be used to “fix” modern Windows systems and reintroduce older vulnerabilities.
Earlier this week Elastic Security Labs lifted the lid about various methods attackers can use to run malware without triggering Windows Smart App Control and SmartScreen warnings, including a technique called LNK stomping that’s been in the wild for more than six years.
