Microsoft has revealed a serious security flaw in their Office software service, which can be used by threat actors to access sensitive information. The flaw has been described as a spoofing technique that uses social engineering to lure users to click on maliciously crafted links, which are aiming to mimic the original websites. The vulnerability was first discovered by security researchers, who subsequently reported it to Microsoft.
This vulnerability is identified as CVE-2024-38200 and rated 7.5 on the Common Vulnerability Scoring System (CVSS) scale and can also be exploited through malicious files disguised as legitimate documents.
Microsoft has also stated this issue and added, "In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability.”
The company has further said, “However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
Microsoft Office users are therefore strongly advised to exercise caution when handling Office documents from unknown or untrusted sources.
The official patch will likely be released on August 13, as part of Microsoft’s regular security update cycle. Currently, the Office versions which are at risk are Microsoft Office 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Office 2019.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.