Microsoft has disclosed a critical security vulnerability within their Office software service that could allow cybercriminals to gain access to sensitive information. This flaw is categorised as a spoofing vulnerability, where attackers employ social engineering tactics to deceive users into clicking on links that appear legitimate but are actually maliciously crafted to mimic authentic websites.
The vulnerability, designated as CVE-2024-38200, has been assigned a severity rating of 7.5 on the Common Vulnerability Scoring System (CVSS) scale. It was uncovered by security researchers Jim Rush and Metin Yunus Kandemir, who promptly reported their findings to Microsoft. Beyond malicious links, this flaw can also be exploited through files that are disguised to appear as legitimate documents, further increasing the risk of unauthorised access to sensitive data.
Microsoft's Statement, Action
Microsoft has also stated this issue and added, "In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability.”
The tech giant further said, “However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
Therefore, it is crucial for Microsoft Office users to remain vigilant when dealing with Office documents, especially those received from unfamiliar or untrusted sources. Users are encouraged to be cautious and avoid opening suspicious files until the official patch is released. Microsoft plans to roll out this patch on August 13, as part of their regular security update schedule.
The versions of Office currently vulnerable to this vulnerability include Microsoft Office 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Office 2019. Until the patch is available, users should be particularly cautious to protect their systems from potential threats.