Microsoft has revealed an unpatched zero-day in Office that, if exploited effectively, can lead to the unauthorized disclosure of sensitive data to malicious actors.
The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7. 5), has been described as a spoofing flaw found in the following versions of Office:
Researchers Jim Rush and Metin Yunus Kandemir are credited with finding and reporting the vulnerability.
“In an Internet attack scenario, an attacker can simply host an Internet site (or exploit a compromised Internet site that accepts or hosts user-provided content) that contains a particular record designed to exploit the vulnerability,” he said. Microsoft in an opinion. Training
“However, an attacker would have no way to force the user to make a stop on the website. Instead, an attacker would have to convince the user to click on a link, using an incentive in an email or instant messaging message, and then convince the user to open the specially crafted file. “
An official patch for CVE-2024-38200 is expected to ship on August 13 as part of its monthly Patch Tuesday updates, but the tech giant said it was aware of a workaround that enabled Feature Flighting starting July 30. 2024.
He also noted that while consumers already have all supported editions of Microsoft Office and Microsoft 365, it’s imperative to update to the latest edition of the patch when it’s available in a few days for optimal protection.
Microsoft, which has called the flaw “less likely to be exploited,” further defined three mitigation strategies:
The disclosure comes as Microsoft said it runs on two zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) that can be exploited to “unpatch” updated Windows systems and reintroduce old vulnerabilities.
Earlier this week, Elastic Security Labs exposed a variety of strategies that attackers can use to run malicious applications that trigger Windows Smart App Control and SmartScreen warnings, adding a strategy called LNK stomping that has been exploited in the wild for more than six years.
Watch experts simulate genuine threats to demonstrate compelling benefits.
Get practical steps and equipment to the full potential of GenAI while protecting your sensitive data.
Get the latest news, expertise, exclusive resources, and industry leaders for free.