Microsoft has revealed a high-severity zero-day vulnerability affecting Office 2016 and subsequent versions, which currently remains unpatched. The security flaw, tracked as CVE-2024-38200, stems from an information disclosure weakness that could allow unauthorized actors to access sensitive data.
Affected Versions and Potential Impact
The zero-day vulnerability impacts multiple 32-bit and 64-bit Office versions, including:
- Office 2016
- Office 2019
- Office LTSC 2021
- Microsoft 365 Apps for Enterprise
This security flaw potentially exposes protected information such as system status, configuration data, personal information, and connection metadata to malicious actors.
Exploitation Likelihood and Attack Scenarios
While Microsoft’s initial assessment suggests that exploitation of CVE-2024-38200 is less likely, MITRE has categorized the likelihood of exploitation for this type of weakness as highly probable. This discrepancy highlights the potential severity of the vulnerability.
Microsoft’s advisory outlines a possible web-based attack scenario:
“An attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. The attacker would need to convince the user to click a link, typically through enticement in an email or instant message, and then persuade the user to open the specially crafted file.”
Ongoing Development of Security Updates
Microsoft is actively working on security updates to address this zero-day bug. However, the company has not yet announced a release date for the patch.
Further Details to be Revealed at Defcon
The discovery of CVE-2024-38200 is credited to PrivSec Consulting security consultant Jim Rush and Synack Red Team member Metin Yunus Kandemir. While Microsoft has been sparse with details, more information is expected to be disclosed during Rush’s upcoming Defcon talk titled “NTLM – The Last Ride.”
Rush promises a deep dive into several new bugs disclosed to Microsoft, including:
- Bypasses for existing CVE fixes
- Interesting and useful techniques
- Combinations of techniques from multiple bug classes
- Unexpected discoveries and “absolutely cooked bugs”
- Revelations about questionable defaults in libraries and applications
- Gaps in Microsoft’s NTLM-related security controls
Additional Security Concerns
Microsoft is also addressing other critical security issues, including:
- Zero-day flaws that could “unpatch” up-to-date Windows systems, potentially reintroducing old vulnerabilities.
- A Windows Smart App Control and SmartScreen bypass that has been exploited since 2018, which the company is considering patching.