Microsoft has acknowledged a previously undisclosed zero-day vulnerability in its Workplace platform, which, if successfully exploited, could result in the unauthorized disclosure of sensitive information to malicious actors.
The vulnerability, designated as CVE-2024-38200 with a CVSS severity score of 7.5, is classified as a spoofing issue affecting forthcoming updates to Workplace –
- Microsoft Office 2016: A Comprehensive Suite for Both 32-bit and 64-bit Platforms
- Microsoft Workplace LTSC 2021: Compatible with Both 32-bit and 64-bit Operating Systems
- Microsoft 365 Apps for Enterprise: Installation Guidance for 32-bit and 64-bit Systems
- Microsoft Office 2019: A comprehensive suite of productivity applications for both 32-bit and 64-bit platforms.
The vulnerability was discovered and reported by researchers Jim Rush and Metin Yunus Kandemir.
“In a web-based attack scenario, an attacker may create and deploy a specially crafted file on a website, either by hosting it themselves or exploiting a compromised site that allows user-generated content, with the intention of capitalizing on a known vulnerability,” the advisory from Microsoft states.
Despite this, a malicious actor would lack a viable means of coercing users into visiting the website. A malicious actor must craft a convincing email or messaging prompt that induces the recipient to click on a hyperlink, often utilising enticing language, and then successfully persuade them to open a specially designed file.
A proper patch for CVE-2024-38200 is expected to be released on August 13 as part of Microsoft’s regular monthly Patch Tuesday updates; however, the tech giant also announced an interim fix, which it has enabled through Function Flighting as of July 30, 2024.
While users are already safeguarded across all in-place versions of Microsoft Office and Microsoft 365, it’s crucial to update to the final version of the patch once it becomes available within the next few days for optimal security.
Microsoft has assigned a concerning “Exploitation Highly Likely” rating to the vulnerability and has provided three recommended mitigation techniques:
- Block outgoing SMB traffic on port 445 from leaving the organization by leveraging a perimeter firewall, an internal network firewall, and VPN configurations to prevent the transmission of NTLM authentication requests to remote file servers.
Microsoft has disclosed its efforts to address two critical, unpatched vulnerabilities (CVE-2024-38202 and CVE-2024-21302), which could potentially be exploited to “roll back” up-to-date Windows systems and re-introduce previously patched flaws.
Recently, researchers at Elastic Safety Labs uncovered various tactics employed by attackers to launch malicious applications without prompting Windows Defender Application Control and SmartScreen alerts, including a technique called LNK stomping that has been in use in the wild for over six years.
