Microsoft reveals potentially serious security hole in Office – but you should probably be safe
Microsoft has disclosed a potentially disruptive security vulnerability found in multiple versions of its Office suite that could allow malicious users to access sensitive information.
The vulnerability is described as an information disclosure vulnerability and is tracked as CVE-2024-38200. It affects both 32-bit and 64-bit versions of the product, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
Microsoft says attackers are unlikely to attempt to exploit the vulnerability because it requires a lot of interaction from the victim and it primarily affects older versions of Office that are no longer used by many users today.
Functional flight
“In a web-based attack scenario, an attacker could host a website (or use a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability,” Microsoft said in its advisory.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
While this may sound like a lot of work, we have seen cybercriminals successfully execute even more complex attacks that require victims to go through multiple steps.
Anyway, Microsoft fixed the vulnerability on July 30th via Feature Flighting. BleepingComputer defeated.
“No, we have identified an alternate workaround for this issue that we enabled on 7/30/2024 via Feature Flighting,” the updated CVE-2024-38200 advisory reads. “Customers are already protected on all supported versions of Microsoft Office and Microsoft 365. Customers should still update to the August 13, 2024 updates for the final version of the fix.”
Those who cannot apply the patch can work around the issue by blocking outbound NTLM traffic to external servers. More details about the mitigation can be found here here.
Via BleepingComputer