A new zero-day flaw in Microsoft Office, known as CVE-2024-38200, poses a substantial risk because it might lead to the leaking of NTLM hashes to bad actors. Microsoft said last week that hackers can use this spoofing bug remotely, and theydon’t need special access or direct user action to trigger it.
This bug affects many versions of Microsoft Office, including Office 2016, 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. Bad actors can use this flaw by putting a harmful file on a hacked or enticing website. Users must click a link to this file and open it. This often involves tricks like email or chat messages to lure victims.
When attackers get their hands on NTLM hashes from hacked systems, they can pull off authentication relay attacks. This creates a severe security problem. Microsoft hasn’t come up with a permanent solution yet, but they’ve put a temporary fix in place. They started rolling out a safeguard on July 30, 2024 using something called as Feature Flighting. This step aims to keep users safe across all the supported versions of Microsoft Office.
Microsoft plans to release a final fix for the vulnerability on August 13, 2024. Until then, Microsoft suggests users take several steps to protect themselves. These include limiting outbound NTLM traffic, adding users to the Protected Users Security Group, and stopping outbound traffic on TCP port 445.
The vulnerability could have a big impact, but it’s important to remember that NTLM is no longer the preferred method. Microsoft now recommends the Kerberos protocol as it’s more secure. They want organizations to stop using NTLM and start using the Negotiate protocol, which defaults to Kerberos.
As this issue develops, it will be key to staying up-to-date with the newest patches and putting in place the suggested security measures. This will help reduce the risks linked to CVE-2024-38200.
