HomeWinBuzzer NewsMicrosoft Confirms Office Vulnerability, Patch Development Ongoing

Microsoft Confirms Office Vulnerability, Patch Development Ongoing

Microsoft says it is working on a patch for the critical unpatched zero-day vulnerability found in multiple Office versions.

-

Microsoft has disclosed a zero-day vulnerability affecting several versions of its Office suite, notably Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. The flaw, known as CVE-2024-38200, remains unpatched and can potentially grant unauthorized access to private data.

Impact and Potential Exploits

According to Microsoft, the security issue affects a wide range of Office editions. Although Microsoft rates the exploitation probability as low, MITRE categorizes it as highly likely to be exploited. Attackers could host a website rigged with a malicious file exploiting this vulnerability, aiming to trick users into visiting the site and opening the file via deceptive emails or instant messages.

Security professionals Jim Rush from PrivSec Consulting and Metin Yunus Kandemir of Synack Red Team identified the flaw. PrivSec’s Managing Director, Peter Jakowetz, indicated that Rush will discuss the vulnerability at his Defcon talk, titled “NTLM – The Last Ride.” The session will reveal several newly identified bugs in Microsoft’s software, highlighting overlooked security flaws in NTLM protocols.

Microsoft’s Response

Microsoft is in the process of developing updates to fix CVE-2024-38200 but has not yet announced a release date. The company is addressing other zero-day vulnerabilities, including those capable of reversing current security patches, potentially exposing systems to old threats again. Efforts also include addressing a bypass vulnerability related to Windows Smart App Control and SmartScreen, exploited since 2018.

The zero-day flaw, also recorded as CVE-2023-36884, has seen active exploitation. It allows attackers to run arbitrary code on compromised systems through malicious Office documents. Microsoft recommends users treat files from unknown sources with caution and has issued guidelines to mitigate the risk of exploitation. The company is working with cybersecurity researchers to accelerate the delivery of a patch.

Last Updated on November 7, 2024 3:20 pm CET

SourceMicrosoft
Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x
Mastodon