Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Vulnerability / Enterprise Security

Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors.

The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office -

• Microsoft Office 2016 for 32-bit edition and 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
• Microsoft Office 2019 for 32-bit and 64-bit editions

Credited with discovering and reporting the vulnerability are researchers Jim Rush and Metin Yunus Kandemir.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microsoft said in an advisory.

“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”

A formal patch for CVE-2024-38200 is expected to be shipped on August 13 as part of its monthly Patch Tuesday updates, but the tech giant said it identified an alternative fix that it has enabled via Feature Flighting as of July 30, 2024.

It also noted that while customers are already protected on all in-support versions of Microsoft Office and Microsoft 365, it’s essential to update to the final version of the patch when it becomes available in a couple of days for optimal protection.

Microsoft, which has tagged the flaw with an “Exploitation Less Likely” assessment, has further outlined three mitigation strategies -

• Configuring the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting provides the ability to allow, block, or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system

• Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism

• Block TCP 445/SMB outbound from the network by using a perimeter firewall, a local firewall, and via VPN settings to prevent the sending of NTLM authentication messages to remote file shares

The disclosure comes as Microsoft said it’s working on addressing two zero-day flaws (CVE-2024-38202 and CVE-2024-21302) that could be exploited to “unpatch” up-to-date Windows systems and reintroduce old vulnerabilities.

Earlier this week, Elastic Security Labs lifted the lid on a variety of methods that attackers can avail in order to run malicious apps without triggering Windows Smart App Control and SmartScreen warnings, including a technique called LNK stomping that’s been exploited in the wild for over six years.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.