Adrian Johnson
TLDR:
Microsoft has disclosed a spoofing vulnerability in its Office suite, CVE-2024-38200, which could allow attackers to access sensitive information. The vulnerability affects multiple versions of Office and Microsoft 365, but immediate widespread exploitation is not expected. Microsoft has implemented a fix, but users should apply the formal patch for comprehensive protection on August 13, 2024. To mitigate the risk, Microsoft recommends restricting NTLM traffic, adding high-value accounts to a security group, and blocking TCP 445/SMB. The discovery of the vulnerability is credited to Jim Rush and Metin Yunus Kandemir.
Article:
Microsoft has disclosed a significant security vulnerability in its Office suite, identified as CVE-2024-38200, which could potentially allow attackers to access sensitive information. This spoofing vulnerability affects multiple versions of Microsoft Office, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise, across both 32-bit and 64-bit systems. The vulnerability, rated with a CVSS score of 7.5, is considered important due to its potential to expose sensitive information to unauthorized actors, classified under CWE-200.
In a typical attack scenario, an attacker could host a malicious website or compromise an existing one to deliver a specially crafted file to the victim. The attacker would need to persuade the user to visit the website and open the file, often through deceptive emails or instant messages. Microsoft has implemented an alternative fix via Feature Flighting as of July 30, 2024, to protect users on all supported versions of Microsoft Office and Microsoft 365. However, the company advises users to apply the upcoming formal patch on August 13, 2024, for comprehensive protection.
To mitigate the risk, Microsoft recommends several strategies, including restricting NTLM traffic, adding high-value accounts to the Protected Users Security Group, and blocking TCP 445/SMB with firewalls. The discovery of this vulnerability is credited to Jim Rush from PrivSec Consulting and Metin Yunus Kandemir from Synack Red Team.
