WARNING: Microsoft Office Critical Zero-Day Vulnerability, Patch Still Pending!

Microsoft has disclosed a critical zero-day vulnerability affecting Office 2016 and later versions, for which a patch is yet to be released.

Identified as CVE-2024-38200, this vulnerability stems from an information disclosure flaw that could allow unauthorized individuals to access sensitive data, such as system status, configuration information, personal details, or connection metadata.

The zero-day vulnerability affects various 32-bit and 64-bit versions of Office, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

Despite Microsoft's assessment that the likelihood of exploiting CVE-2024-38200 is low, MITRE has classified the potential for exploitation of this type of vulnerability as highly probable.

In a scenario where the attack is web-based, an attacker might host or utilize a compromised website that accepts user-provided content, embedding a specially crafted file designed to exploit the vulnerability. However, the attacker cannot force users to visit the site; instead, they must entice the user to click a link—often through an email or instant message—and then convince them to open the malicious file.

Microsoft is currently working on security updates to fix this zero-day issue but has not provided a timeline for the release.

Microsoft recommends three key mitigation strategies:

1. Restrict NTLM Traffic: By configuring the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting, administrators can control outgoing NTLM traffic from any Windows 7, Windows Server 2008, or later version to remote servers running the Windows operating system. This setting allows the traffic to be either allowed, blocked, or audited.
2. Use the Protected Users Security Group: Adding users to the Protected Users Security Group helps prevent NTLM from being used as an authentication method, enhancing security.
3. Block TCP 445/SMB Outbound: To prevent NTLM authentication messages from being sent to remote file shares, it's recommended to block TCP 445/SMB outbound traffic. This can be done by using perimeter firewalls, local firewalls, and configuring VPN settings.

More Information Expected at Defcon

While Microsoft has not released specific details about the flaw, its discovery has been credited to Jim Rush, a security consultant at PrivSec Consulting, and Metin Yunus Kandemir, a member of the Synack Red Team.

According to Peter Jakowetz, Managing Director at PrivSec, Rush will provide more insights into this vulnerability during his upcoming Defcon talk titled "NTLM - The Last Ride." Rush plans to delve into several newly disclosed bugs, including methods for bypassing existing fixes, and explore some unexpected discoveries and critical issues.

Rush also intends to highlight defaults in certain libraries or applications that should not exist, along with gaps in Microsoft's NTLM-related security measures.

In addition to addressing this zero-day flaw, Microsoft is also working on fixing other vulnerabilities, including those that could potentially "unpatch" current Windows systems, reintroducing previously resolved vulnerabilities. The company also mentioned its ongoing consideration to patch a Windows Smart App Control and SmartScreen bypass that has been exploited since 2018.