August 10, 2024 at 01:45AM
Microsoft has disclosed an unpatched zero-day in Office (CVE-2024-38200) that could lead to unauthorized disclosure of sensitive information to malicious actors. A patch is expected on August 13, with an alternative fix already enabled. Three mitigation strategies have been outlined. Microsoft is also working on addressing other zero-day flaws in Windows.
Key takeaways from the meeting notes on the zero-day vulnerability in Microsoft Office:
– Microsoft has disclosed an unpatched zero-day vulnerability in Office, tracked as CVE-2024-38200, with a CVSS score of 7.5, affecting various versions of Office.
– The vulnerability, characterized as a spoofing flaw, could result in unauthorized disclosure of sensitive information if successfully exploited.
– Researchers Jim Rush and Metin Yunus Kandemir are credited with discovering and reporting the vulnerability.
– Microsoft is set to release a formal patch for CVE-2024-38200 on August 13, with an alternative fix already in place via Feature Flighting since July 30, 2024.
– Three mitigation strategies have been outlined by Microsoft to address the vulnerability, including blocking TCP 445/SMB outbound from the network.
– It’s recommended for customers to update to the final version of the patch for optimal protection.
In addition, it’s noted that Microsoft is addressing two other zero-day flaws and Elastic Security Labs uncovered methods that attackers can use to run malicious apps without triggering Windows Smart App Control and SmartScreen warnings, including a technique called LNK stomping.