Microsoft has announced an unpatched zero-day in Office, which can be exploited my malicious attackers to get acceso personal information without any sort of authorization.
The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5) has been known to be a spoofing flaw that affects the following version of Office:
- Microsoft Office 2016 for 32-bit edition and 64-bit editions
- Microsoft Office 2019 for 32-bit and 64-bit editions
- Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
Microsoft said in an advisory that in a web-based attack scenario, an attacker could host a website or leverage a compromised website that accepts or hosts user-provided content, that contains a specially designed file. This is designed to exploit the vulnerability.
However, an attacker would not be able to compel the user to access the website, rather, the attacker requires to persuade the victim to open the specially constructed file after persuading them to click a link. This is performed through an allure in an email or instant messaging message.
As part of its monthly Patch Tuesday updates, a formal patch for CVE-2024-38200 is scheduled to be released on August 13. However, the tech giant revealed that it has discovered an alternate workaround, enabled via Feature Flighting as of July 30, 2024.
In addition to this, it stated that users of Microsoft Office and Microsoft 365 are now protected on all in-support versions. It is crucial to update to the final patch version, when it becomes available in a few days for best level of security.
Microsoft has found three remedial solutions and assigned an "exploitation less likely" score to the issue.
To allow, block or audit outgoing NTLM traffic from a Windows 7 or Windows Server 2008 or later PC to any remote Windows operating system server is possible by configuring the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting.
While adding users to the Protected Users Security Group restricts them from using NTLM for the purpose of authentication.
Instead use a local firewall, a perimeter firewall, or VPN settings to block TCP 445/SMB outbound from the network in order to restrict NTLM authentication messages from being sent to distant file shares.
The revelation coincides with Microsoft's announcement that it is trying to resolve two zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) that have the potential to be used to "unpatch" Windows updates and bring back outdated security holes.
Elastic Security Labs had announced earlier this week about a number of techniques that attackers can use to run malicious applications without causing Windows Smart App Control and SmartScreen alerts. LNK stomping is one of such technique, which has been used for over six long years in the wild.
.png)
Comments
Post a Comment