Various versions of Microsoft Office have a serious security vulnerability which could expose sensitive data to an attacker. Worryingly, while disclosing the flaw, Microsoft has also conceded that there is no patch available.
The issue is being tracked as CVE-2024-38200 and it affects a variety of edition of the office suite — namely the 32- and 64-bit versions of Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft 365 Apps for Enterprise. While there is no fix available right now, one is expected in the coming days.
The flaw is described as a spoofing vulnerability and has been given a CVSS score of 7.5. But while the security has a fairly high severity rating, Microsoft is trying to play down the likelihood of it being exploited.
Writing about the issue, the company says:
In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability.
However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.
Until a fix is produced, Microsoft suggests three means of mitigating the flaw:
- Configuring the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting provides the ability to allow, block, or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism
- Block TCP 445/SMB outbound from the network by using a perimeter firewall, a local firewall, and via VPN settings to prevent the sending of NTLM authentication messages to remote file shares