Microsoft has revealed a severe safety flaw in its Workplace software program that might expose delicate info to hackers. The unpatched vulnerability, labeled CVE-2024-38200 and rated 7.5 on the CVSS scale, permits attackers to impersonate customers and doubtlessly entry confidential knowledge. Researchers Jim Rush and Metin Yunus Kandemir found the vulnerability and reported it to Microsoft.
To use the flaw, attackers would sometimes trick customers into opening malicious recordsdata disguised as legit paperwork.Whereas Microsoft has carried out a short lived repair, a everlasting patch is scheduled for launch on August 13 as a part of its common safety updates.
“In a web-based assault state of affairs, an attacker might host an internet site (or leverage a compromised web site that accepts or hosts user-provided content material) that incorporates a specifically crafted file that’s designed to take advantage of the vulnerability,” Microsoft mentioned in an advisory.
“Nevertheless, an attacker would don’t have any method to power the person to go to the web site. As an alternative, an attacker must persuade the person to click on a hyperlink, sometimes by the use of an enticement in an e mail or On the spot Messenger message, after which persuade the person to open the specifically crafted file.”
The affected variations embrace:
* Microsoft Workplace 2016 for 32-bit version and 64-bit editions
* Microsoft Workplace LTSC 2021 for 32-bit and 64-bit editions
* Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Programs
* Microsoft Workplace 2019 for 32-bit and 64-bit editions
Customers are suggested to train warning when opening Workplace paperwork from unknown sources and to put in the official patch as quickly because it turns into accessible. Additionally, whereas prospects are already protected on all in-support variations of Microsoft Workplace and Microsoft 365, it is essential to replace to the ultimate model of the patch as and when it turns into accessible.
To use the flaw, attackers would sometimes trick customers into opening malicious recordsdata disguised as legit paperwork.Whereas Microsoft has carried out a short lived repair, a everlasting patch is scheduled for launch on August 13 as a part of its common safety updates.
“In a web-based assault state of affairs, an attacker might host an internet site (or leverage a compromised web site that accepts or hosts user-provided content material) that incorporates a specifically crafted file that’s designed to take advantage of the vulnerability,” Microsoft mentioned in an advisory.
“Nevertheless, an attacker would don’t have any method to power the person to go to the web site. As an alternative, an attacker must persuade the person to click on a hyperlink, sometimes by the use of an enticement in an e mail or On the spot Messenger message, after which persuade the person to open the specifically crafted file.”
The affected variations embrace:
* Microsoft Workplace 2016 for 32-bit version and 64-bit editions
* Microsoft Workplace LTSC 2021 for 32-bit and 64-bit editions
* Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Programs
* Microsoft Workplace 2019 for 32-bit and 64-bit editions
Customers are suggested to train warning when opening Workplace paperwork from unknown sources and to put in the official patch as quickly because it turns into accessible. Additionally, whereas prospects are already protected on all in-support variations of Microsoft Workplace and Microsoft 365, it is essential to replace to the ultimate model of the patch as and when it turns into accessible.
