Microsoft has disclosed a zero-day vulnerability affecting several versions of its Office suite, notably Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. The flaw, known as CVE-2024-38200, remains unpatched and can potentially grant unauthorized access to private data.
Impact and Potential Exploits
According to Microsoft, the security issue affects a wide range of Office editions. Although Microsoft rates the exploitation probability as low, MITRE categorizes it as highly likely to be exploited. Attackers could host a website rigged with a malicious file exploiting this vulnerability, aiming to trick users into visiting the site and opening the file via deceptive emails or instant messages.
Security professionals Jim Rush from PrivSec Consulting and Metin Yunus Kandemir of Synack Red Team identified the flaw. PrivSec’s Managing Director, Peter Jakowetz, indicated that Rush will discuss the vulnerability at his Defcon talk, titled “NTLM – The Last Ride.” The session will reveal several newly identified bugs in Microsoft’s software, highlighting overlooked security flaws in NTLM protocols.
Microsoft’s Response
Microsoft is in the process of developing updates to fix CVE-2024-38200 but has not yet announced a release date. The company is addressing other zero-day vulnerabilities, including those capable of reversing current security patches, potentially exposing systems to old threats again. Efforts also include addressing a bypass vulnerability related to Windows Smart App Control and SmartScreen, exploited since 2018.
The zero-day flaw, also recorded as CVE-2023-36884, has seen active exploitation. It allows attackers to run arbitrary code on compromised systems through malicious Office documents. Microsoft recommends users treat files from unknown sources with caution and has issued guidelines to mitigate the risk of exploitation. The company is working with cybersecurity researchers to accelerate the delivery of a patch.
Last Updated on November 7, 2024 3:20 pm CET