Microsoft has disclosed a potentially disruptive flaw found in multiple versions of its Office software suite that could allow threat actors to access sensitive information.
The flaw is described as an information disclosure vulnerability and is known as CVE-2024-38200. It affects both 32-bit and 64-bit versions of the product, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
Microsoft says threat actors are unlikely to attempt to exploit the flaw because it requires a lot of interaction from the victim and primarily affects older versions of Office that many users don't currently use.
Flight of functions
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is used to exploit the vulnerability,” Microsoft said in its advisory.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click on a link, typically via an email or instant messaging message, and then convince the user to open the specially crafted file.”
While this seems like a lot of work, we have seen threat actors successfully carry out even more complex attacks that require victims to perform multiple steps.
In any case, Microsoft fixed the vulnerability via Feature Flighting on July 30. Computer beeping information.
“No, we have identified a workaround for this issue that we enabled via Feature Flighting on 7/30/2024,” the updated CVE-2024-38200 advisory reads. “Customers are already protected on all supported versions of Microsoft Office and Microsoft 365. Customers still need to upgrade to the August 13, 2024 updates to get the final release of the fix.”
Those who are unable to apply the patch can work around the issue by blocking outbound NTLM traffic to remote servers. More details on the mitigation measure can be found here here.
Through Computer beeping