Microsoft has discovered an unpatched zero-day vulnerability in Office that may lead to unauthorized disclosure of sensitive information to malicious actors.
The vulnerability, identified as CVE-2024-38200 (CVSS score: 7.5), is a spoofing flaw affecting the following Office versions:
- Microsoft Office 2016 for 32-bit and 64-bit editions
- Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
- Microsoft Office 2019 for 32-bit and 64-bit editions
Researchers Jim Rush and Metin Yunus Kandemir are credited with discovering and reporting this vulnerability.
“In a web-based attack scenario, an attacker could exploit the vulnerability by hosting a website or using a compromised website that accepts user-provided content containing a specially crafted file,” stated Microsoft in an advisory.
Microsoft plans to release a formal patch for CVE-2024-38200 on August 13 as part of its monthly updates. In the meantime, an alternative fix has been enabled via Feature Flighting since July 30, 2024.
While customers on supported versions are already protected, it’s recommended to update to the final patch version for optimal security.
Microsoft has assessed the likelihood of exploitation as “Less Likely” and outlined three mitigation strategies, including blocking TCP 445/SMB outbound traffic.
Meanwhile, Microsoft is also addressing two other zero-day flaws (CVE-2024-38202 and CVE-2024-21302) that could expose Windows systems to old vulnerabilities.
Elastic Security Labs recently revealed methods that attackers can use to bypass Windows security measures and run malicious apps undetected.
