August 10, 2024Ravie LakshmananVulnerability / Business Security

Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could lead to unauthorized disclosure of sensitive information to malicious parties.

The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), is described as a spoofing flaw that affects the following versions of Office:

• Microsoft Office 2016 for 32-bit and 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
• Microsoft 365 Apps for enterprise for 32-bit and 64-bit systems
• Microsoft Office 2019 for 32-bit and 64-bit editions

The discovery and reporting of the vulnerability are credited to researchers Jim Rush and Metin Yunus Kandemir.

“In a web-based attack scenario, an attacker could host a website (or use a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability,” Microsoft said in an alert.

“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”

An official patch for CVE-2024-38200 is expected to be released on August 13 as part of the monthly Patch Tuesday updates, but the tech giant said an alternate fix has already been identified that will be enabled via Feature Flighting on July 30, 2024.

It was also stated that customers are already protected on all supported versions of Microsoft Office and Microsoft 365, but that for optimal protection it is essential to update to the final version of the patch once it becomes available in a few days.

Microsoft, which has classified the flaw as “Exploitation Less Likely,” has also outlined three strategies for mitigating the vulnerability:

• Block TCP 445/SMB outbound from the network by using a perimeter firewall, a local firewall, and via VPN settings to prevent NTLM authentication messages from being sent to remote file shares

The revelation comes after Microsoft said it is working to fix two zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) that could be exploited to “unpatch” up-to-date Windows systems and reintroduce old vulnerabilities.

Earlier this week, Elastic Security Labs revealed a number of methods that attackers could use to execute malicious apps without triggering warnings in Windows Smart App Control and SmartScreen. One of these is a technique called LNK stopping, which has been in widespread use for more than six years.