Microsoft Office Under Threat: Spoofing Vulnerability Microsoft Urges Immediate Action

 



Microsoft Alerts Users to Unpatched Office Zero-Day Vulnerability: Critical Data Exposure Risk

Microsoft has issued an important security alert, disclosing an unpatched zero-day vulnerability in its Office suite that poses a significant risk of data exposure. The vulnerability, tracked as CVE-2024-38200 with a CVSS score of 7.5, is categorized as a spoofing flaw. It affects several widely-used versions of Office, including:


  • Microsoft Office 2016 (both 32-bit and 64-bit editions)
  • Microsoft Office LTSC 2021 (both 32-bit and 64-bit editions)
  • Microsoft 365 Apps for Enterprise (both 32-bit and 64-bit systems)
  • Microsoft Office 2019 (both 32-bit and 64-bit editions)

This security flaw was identified by cybersecurity researchers Jim Rush and Metin Yunus Kandemir, who reported it to Microsoft.

Understanding the Vulnerability

The CVE-2024-38200 vulnerability could allow attackers to gain unauthorized access to sensitive information by tricking users into opening a specially crafted file. In a typical web-based attack, an attacker might host this file on a malicious or compromised website. While the attacker cannot directly force users to visit the site, they can entice them to click a link via email or instant messaging, leading to the download and opening of the malicious file.

Microsoft's Mitigation and Upcoming Patch

Although a formal patch for this vulnerability is slated for release on August 13, 2024, as part of Microsoft’s regular Patch Tuesday updates, the company has already rolled out an interim fix through its Feature Flighting mechanism on July 30, 2024. This temporary fix aims to protect users until the official patch is available.

Microsoft has assured that users on all supported versions of Office and Microsoft 365 are currently safeguarded, but it is strongly recommended to apply the forthcoming patch for comprehensive protection.

Recommended Mitigation Steps

To further mitigate potential exploitation, Microsoft has outlined three critical strategies:

  1. Network Security Policy Configuration: Administrators should configure the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy. This allows for the control of outgoing NTLM traffic from systems running Windows 7, Windows Server 2008, or later to any remote Windows server.

  2. Protected Users Security Group: Adding users to this group can prevent the use of NTLM for authentication, providing an additional layer of security.

  3. Block TCP 445/SMB Outbound Traffic: By blocking TCP 445/SMB outbound using perimeter or local firewalls, as well as through VPN settings, organizations can prevent NTLM authentication messages from being sent to remote file shares, reducing the risk of exploitation.

Broader Security Concerns

This disclosure comes as part of a broader wave of security challenges that Microsoft is addressing. The company is also working on fixing two additional zero-day vulnerabilities, CVE-2024-38202 and CVE-2024-21302, which have the potential to undo previous patches and reopen old vulnerabilities in up-to-date Windows systems.

Furthermore, recent research from Elastic Security Labs has revealed that attackers are leveraging various methods to bypass Windows' built-in security features like Smart App Control and SmartScreen. One such method, known as LNK stomping, has been in use for over six years, emphasizing the ever-evolving nature of cybersecurity threats.

As always, users are advised to remain vigilant, apply security patches promptly, and follow best practices to protect their systems from emerging threats. Microsoft will continue to monitor the situation and provide updates as necessary to ensure the safety and security of its users.


Microsoft Technical Security Notifications

No comments:

Global Espionage? Chinese Cyber Centre Accuses U.S. of Tech Firm Hacks

  U.S. Accused of Cyberattacks and Trade Secret Theft by Chinese Cybersecurity Centre A Chinese cybersecurity organization has accused the U...