Unpatched Office Zero-Day Vulnerability Disclosed by Microsoft

August 9, 2024

Microsoft has announced the existence of a high-severity zero-day vulnerability in Office 2016 and subsequent versions, for which a patch is still in development. The vulnerability, identified as CVE-2024-38200, is due to an information disclosure weakness that could potentially allow unauthorized individuals to access protected data, including system status, configuration data, personal information, or connection metadata. This zero-day affects various 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

While Microsoft's exploitability assessment suggests that the likelihood of CVE-2024-38200 being exploited is low, MITRE has indicated that the probability of exploitation for this type of weakness is high. According to Microsoft's advisory, "In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file."

Microsoft is currently in the process of developing security updates to address this zero-day bug, but has not yet revealed a release date. The discovery of the flaw was credited to Jim Rush, a security consultant at PrivSec Consulting, and Metin Yunus Kandemir, a member of the Synack Red Team. Peter Jakowetz, Managing Director at PrivSec, mentioned that Rush will provide further details about this vulnerability in his upcoming Defcon talk titled "NTLM - The last ride". Rush stated, "There will be a deep dive on several new bugs we disclosed to Microsoft (including bypassing a fix to an existing CVE), some interesting and useful techniques, combining techniques from multiple bug classes resulting in some unexpected discoveries and some absolutely cooked bugs. We'll also uncover some defaults that simply shouldn't exist in sensible libraries or applications as well as some glaring gaps in some of the Microsoft NTLM related security controls."

In addition to this, Microsoft is also addressing zero-day flaws that could potentially be exploited to 'unpatch' up-to-date Windows systems and reintroduce old vulnerabilities. Earlier this week, the company also mentioned that it is contemplating patching a Windows Smart App Control, SmartScreen bypass that has been exploited since 2018.

Latest News

• Critical Zero-Day Vulnerabilities Identified in Cisco's End-of-Life IP Phones
• CISA Issues Warning on Active Exploits of Apache OFBiz RCE Vulnerabilities
• Critical Cisco Software Vulnerability: Public PoC Exploit Code for CVE-2024-20419 Released
• Windows Update Downgrade Attack Exposes Fully-Updated Systems to Old Vulnerabilities
• CISA Includes Microsoft COM for Windows Vulnerability in Known Exploited Vulnerabilities Catalog