Microsoft has unveiled a potentially disruptive flaw found in multiple versions of its Office office software suite which could allow threat actors to access sensitive information.
The flaw is described as an information disclosure weakness, and is tracked as CVE-2024-38200. It affects both 32-bit and 64-bit versions of the product, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
Microsoft argues that threat actors most likely won’t seek to exploit the flaw, since it requires heavy interaction from the victim’s side, and mainly affects older version of Office not in use for many users these days.
Feature Flighting
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microsoft said in its advisory.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
While this sounds like a lot of work, we’ve seen threat actors successfully pull off even more complex attacks that require victims to take multiple steps.
In any case, Microsoft fixed the vulnerability via Feature Flighting on July 30, BleepingComputer reports.
“No, we identified an alternative fix to this issue that we enabled via Feature Flighting on 7/30/2024,” reads the updated CVE-2024-38200 advisory. “Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365. Customers should still update to the August 13, 2024 updates for the final version of the fix.”
Those that are unable to apply the patch can work around the issue by blocking outbound NTLM traffic to remote servers. More details about the mitigation measure can be found here.
Via BleepingComputer