A newly discovered zero-day vulnerability in Microsoft Office, designated as CVE-2024-38200, can be exploited by attackers to obtain users’ NTLM (New Technology LAN Manager) hashes, according to a recent announcement by Microsoft. This vulnerability is categorized as a spoofing vulnerability and can be triggered remotely without requiring special privileges or user interaction.
The vulnerability affects the 64-bit and 32-bit editions of Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft 365 Apps for Enterprise. Microsoft has implemented an alternative fix via Feature Flighting on July 30, 2024, which protects customers on all in-support versions of Microsoft Office and Microsoft 365. However, the company urges users to update to the August 13, 2024, updates for the final version of the fix.
CVE-2024-38200 attack scenario
In a web-based CVE-2024-38200 attack scenario, an attacker could host a website containing a specially crafted file designed to exploit the vulnerability. The attacker would need to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. Once the attacker obtains the victim’s NTLM hash, they can relay it to another service and authenticate as the victim, performing an authentication relay attack.
Mitigations and fixes
Microsoft has outlined several mitigating factors to reduce the risk of exploitation:
- Restricting outgoing NTLM traffic to remote servers.
- Adding users to the Protected Users Security Group.
- Blocking outbound traffic from port TCP 445.
The company has also announced that final fixes for the affected software will be available on August 13, 2024, as part of the August 2024 Patch Tuesday updates.
NTLM deprecation
New Technology LAN Manager (NTLM) is an old suite of security protocols for user authentication provided by Microsoft, which has been officially deprecated in favor of Kerberos. Microsoft recommends replacing calls to NTLM with calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.
The discovery of this zero-day vulnerability highlights the importance of keeping software up-to-date and implementing security best practices. Microsoft’s prompt response and implementation of an alternative fix have minimized the risk of exploitation. However, users are still advised to update to the final version of the fix on August 13, 2024, to ensure maximum protection.
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
