Microsoft unveils potentially serious Office security flaw — but you probably should be safe

News
By published

Fix is now available for Office 2016

Microsoft Office
(Image credit: Shutterstock / monticello)

Microsoft has unveiled a potentially disruptive flaw found in multiple versions of its Office office software suite which could allow threat actors to access sensitive information. 

The flaw is described as an information disclosure weakness, and is tracked as CVE-2024-38200. It affects both 32-bit and 64-bit versions of the product, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. 

Microsoft argues that threat actors most likely won’t seek to exploit the flaw, since it requires heavy interaction from the victim’s side, and mainly affects older version of Office not in use for many users these days.

Feature Flighting

"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft said in its advisory. 

"However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file."

While this sounds like a lot of work, we’ve seen threat actors successfully pull off even more complex attacks that require victims to take multiple steps.

In any case, Microsoft fixed the vulnerability via Feature Flighting on July 30, BleepingComputer reports. 

"No, we identified an alternative fix to this issue that we enabled via Feature Flighting on 7/30/2024," reads the updated CVE-2024-38200 advisory. "Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365. Customers should still update to the August 13, 2024 updates for the final version of the fix."

Those that are unable to apply the patch can work around the issue by blocking outbound NTLM traffic to remote servers. More details about the mitigation measure can be found here

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty

You can finally start your day with The Office theme song, and I couldn't be more excited
See more latest
Most Popular
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn