CVE-2024-38200: Zero-Day Vulnerability in Microsoft Office: A Call for Urgent Action
In a recent advisory published on August 8th, Microsoft disclosed a high-severity zero-day vulnerability affecting multiple versions of its Office software suite. The vulnerability tracked as CVE-2024-38200 (CVSS 7.5), enables unauthorized access to sensitive information, including NTLM hashes, which could be leveraged to compromise entire networks.
The vulnerability stems from an information disclosure weakness that could allow unauthorized actors to access sensitive, protected information. In particular, the flaw could be exploited in a web-based attack scenario, wherein an attacker hosts or leverages a compromised website to distribute a specially crafted file designed to exploit the vulnerability. However, the attacker cannot force users to visit the malicious website; instead, they must employ social engineering tactics, such as enticing the target via email or instant messaging, to convince the user to click on a link and open the compromised file.
Microsoft’s advisory provides further insights into the nature of this threat. The company confirmed on August 10th that CVE-2024-38200 is, in fact, a zero-day vulnerability, meaning it has been publicly disclosed before an official fix is available. This disclosure places organizations using affected Office versions at heightened risk until the flaw is fully patched.
The affected versions include:
- Microsoft Office 2016 (32/64-bit)
- Microsoft Office 2019 (32/64-bit)
- Microsoft Office 2021 (32/64-bit)
- Microsoft 365 Apps for Enterprise (32/64-bit)
Although the formal patch for CVE-2024-38200 is scheduled for release on August 13th, as part of Microsoft’s monthly Patch Tuesday updates, the tech giant has already taken interim measures to mitigate the risk. On July 30th, Microsoft implemented an alternative fix through Feature Flighting, which has been enabled across all supported versions of Office and Microsoft 365. While this measure provides a temporary safeguard, Microsoft emphasizes the importance of applying the final patch once it becomes available to ensure comprehensive protection.
Microsoft’s exploitability assessment suggests that the exploitation of CVE-2024-38200 is less likely, but it remains critical for users and organizations to be vigilant. To further mitigate the risk, Microsoft has recommended three temporary strategies:
- Network Security Configuration: Implement the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting. This allows organizations to block or audit outgoing NTLM traffic from systems running Windows 7, Windows Server 2008, or later to any remote Windows server.
- Protected Users Security Group: Add users to the Protected Users Security Group, which prevents NTLM from being used as an authentication mechanism, thereby reducing the attack surface.
- Outbound TCP 445/SMB Blocking: Use a combination of perimeter firewalls, local firewalls, and VPN configurations to block outbound TCP 445/SMB traffic. This measure prevents NTLM authentication messages from being sent to remote file shares, thus thwarting potential exploitation attempts.
