12 August 2024

Microsoft shares mitigations for unpatched MS Office flaw


Microsoft shares mitigations for unpatched MS Office flaw

Microsoft has disclosed a security vulnerability, tracked as CVE-2024-38200, that affects multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

CVE-2024-38200 is an information disclosure vulnerability, which could enable unauthorized actors to gain access to protected information.

According to Microsoft's advisory, the flaw impacts both 32-bit and 64-bit versions of Office and could be exploited in a web-based attack scenario. In such a scenario, an attacker could host a malicious website or compromise an existing one to deliver a specially crafted file designed to exploit the vulnerability.

Microsoft notes that the attacker would not be able to force users to visit the malicious website. Instead, the attacker would have to convince a target to click a link—typically sent via email or instant messaging—and then to open the specially crafted file.

Microsoft has already taken steps to protect customers by deploying a fix through Feature Flighting on July 30, 2024.

“Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365,” the advisory states. Nonetheless, Microsoft advises users to update their systems with the August 13, 2024, updates, which include the final version of the fix.

To further mitigate the risks associated with the vulnerability, Microsoft recommends the following:

  • Block Outbound NTLM Traffic: Configuring the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting can help prevent unauthorized NTLM traffic from leaving the network. This policy can be set to allow, block, or audit outgoing NTLM traffic, reducing the risk of exploitation.

  • Use Protected Users Security Group: Adding users to the Protected Users Security Group prevents the use of NTLM as an authentication mechanism, which can be particularly useful for high-value accounts such as Domain Admins. This method simplifies troubleshooting while enhancing security, though it may impact applications that require NTLM.

  • Block TCP 445/SMB Outbound: Blocking TCP port 445 or Server Message Block (SMB) outbound traffic at the network perimeter, via local firewalls, or through VPN settings, can prevent NTLM authentication messages from being sent to remote file shares.


Back to the list

Latest Posts

What is Vulnerability Management? A Beginner's Guide

What is Vulnerability Management? A Beginner's Guide

In this article will try to cover basics of vulnerability management process and why it is important to every company.
11 September 2024
Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024