Microsoft has disclosed a security vulnerability, tracked as CVE-2024-38200, that affects multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
CVE-2024-38200 is an information disclosure vulnerability, which could enable unauthorized actors to gain access to protected information.
According to Microsoft's advisory, the flaw impacts both 32-bit and 64-bit versions of Office and could be exploited in a web-based attack scenario. In such a scenario, an attacker could host a malicious website or compromise an existing one to deliver a specially crafted file designed to exploit the vulnerability.
Microsoft notes that the attacker would not be able to force users to visit the malicious website. Instead, the attacker would have to convince a target to click a link—typically sent via email or instant messaging—and then to open the specially crafted file.
Microsoft has already taken steps to protect customers by deploying a fix through Feature Flighting on July 30, 2024.
“Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365,” the advisory states. Nonetheless, Microsoft advises users to update their systems with the August 13, 2024, updates, which include the final version of the fix.
To further mitigate the risks associated with the vulnerability, Microsoft recommends the following:
Block Outbound NTLM Traffic: Configuring the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting can help prevent unauthorized NTLM traffic from leaving the network. This policy can be set to allow, block, or audit outgoing NTLM traffic, reducing the risk of exploitation.
Use Protected Users Security Group: Adding users to the Protected Users Security Group prevents the use of NTLM as an authentication mechanism, which can be particularly useful for high-value accounts such as Domain Admins. This method simplifies troubleshooting while enhancing security, though it may impact applications that require NTLM.
Block TCP 445/SMB Outbound: Blocking TCP port 445 or Server Message Block (SMB) outbound traffic at the network perimeter, via local firewalls, or through VPN settings, can prevent NTLM authentication messages from being sent to remote file shares.