Microsoft has issued a critical security alert regarding a vulnerability affecting various versions of Office that could potentially expose NTLM hashes to remote attackers. This flaw, identified as CVE-2024-38200, poses a significant risk to organizations and individuals using affected Office products.
Understanding the Vulnerability
The vulnerability, classified as an information disclosure issue, allows unauthorized access to protected data. It impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. While Microsoft initially assessed the exploitation likelihood as low, MITRE’s evaluation suggests a potentially high risk, emphasizing the need for immediate attention.
Potential Exploitation Scenarios
Microsoft outlined a possible attack vector involving a malicious website hosting a specially crafted file designed to exploit the vulnerability. An attacker would need to convince a user to visit the site and open the file, typically through phishing emails or instant messages. This scenario underscores the importance of user awareness in cybersecurity.
Technical Impact
The vulnerability can be leveraged to force NTLM connections, such as to an SMB share on an attacker-controlled server. In these instances, Windows transmits the user’s NTLM hashes, including the hashed password, which attackers can potentially intercept and exploit.
Mitigation Strategies
Microsoft is actively developing patches to address this vulnerability. In the interim, they have released a temporary fix as part of Feature Flighting 7/30/2024. Users of supported Microsoft Office and Microsoft 365 versions are advised to update to the August 13, 2024 release to receive the fix.
Additionally, organizations can mitigate the risk by blocking outgoing NTLM traffic to remote servers. However, this approach may interfere with legitimate access to servers using NTLM authentication, requiring careful consideration before implementation.
As the cybersecurity landscape continues to evolve, staying vigilant and promptly applying security updates remains crucial. Organizations should prioritize user education on phishing awareness and implement robust security measures to protect against such vulnerabilities. Regular security audits and maintaining up-to-date software are essential steps in safeguarding against emerging threats like CVE-2024-38200.
