Microsoft has revealed a serious security flaw in its Office software that could expose sensitive information to hackers. The unpatched vulnerability, labeled CVE-2024-38200 and rated 7.5 on the CVSS scale, allows attackers to impersonate users and potentially access confidential data. Researchers Jim Rush and Metin Yunus Kandemir discovered the vulnerability and reported it to Microsoft.
To exploit the flaw, attackers would typically trick users into opening malicious files disguised as legitimate documents.While Microsoft has implemented a temporary fix, a permanent patch is scheduled for release on August 13 as part of its regular security updates.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microsoft said in an advisory.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
The affected versions include:
* Microsoft Office 2016 for 32-bit edition and 64-bit editions
* Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
* Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
* Microsoft Office 2019 for 32-bit and 64-bit editions
Users are advised to exercise caution when opening Office documents from unknown sources and to install the official patch as soon as it becomes available. Also, while customers are already protected on all in-support versions of Microsoft Office and Microsoft 365, it’s important to update to the final version of the patch as and when it becomes available.
To exploit the flaw, attackers would typically trick users into opening malicious files disguised as legitimate documents.While Microsoft has implemented a temporary fix, a permanent patch is scheduled for release on August 13 as part of its regular security updates.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microsoft said in an advisory.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
The affected versions include:
* Microsoft Office 2016 for 32-bit edition and 64-bit editions
* Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
* Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
* Microsoft Office 2019 for 32-bit and 64-bit editions
Users are advised to exercise caution when opening Office documents from unknown sources and to install the official patch as soon as it becomes available. Also, while customers are already protected on all in-support versions of Microsoft Office and Microsoft 365, it’s important to update to the final version of the patch as and when it becomes available.
