Microsoft has disclosed a significant security vulnerability in its Office suite, identified as CVE-2024-38200, which could potentially allow attackers to access sensitive information.
This spoofing vulnerability affects multiple versions of Microsoft Office, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise, across both 32-bit and 64-bit systems.
The vulnerability, rated with a CVSS score of 7.5, is considered important due to its potential to expose sensitive information to unauthorized actors, classified under CWE-200.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Despite the high severity, Microsoft has assessed the likelihood of exploitation as “less likely,” indicating that while the threat is serious, immediate widespread exploitation is not anticipated.
In a typical attack scenario, an attacker could host a malicious website or compromise an existing one to deliver a specially crafted file to the victim.
The attacker would need to persuade the user to visit the website and open the file, often through deceptive emails or instant messages. This method relies on user interaction, which is a critical factor in its exploitability.
Microsoft has already implemented an alternative fix via Feature Flighting as of July 30, 2024, to protect users on all supported versions of Microsoft Office and Microsoft 365.
However, the company advises users to apply the upcoming formal patch on August 13, 2024, for comprehensive protection.
To mitigate the risk, Microsoft recommends several strategies:
- Restrict NTLM Traffic: Configure the network security policy to block or audit outgoing NTLM traffic to remote servers.
- Protected Users Security Group: Add high-value accounts to this group to prevent NTLM usage.
- Block TCP 445/SMB: Use firewalls to block outbound traffic on this port, reducing exposure to NTLM authentication messages.
The discovery of this vulnerability is credited to Jim Rush from PrivSec Consulting and Metin Yunus Kandemir from Synack Red Team. Further insights are expected from Rush’s presentation at DEF CON 2024, where he will discuss this and other vulnerabilities.
Microsoft continues to work on addressing additional vulnerabilities, emphasizing the importance of keeping systems updated to prevent exploitation. Users are encouraged to remain vigilant and apply security patches promptly to safeguard their data.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download