CVE-2024-38200

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Published: Aug 8, 2024

Note: To apply this security update, you must have the release version of Microsoft Office 2016 installed on the computer. Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2016.

Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

Microsoft has warned that attackers could exploit the vulnerability to deceive them into sharing sensitive data once a user opens the malicious document. Cybercriminals could exploit this flaw by creating seemingly legitimate documents that trick users into disclosing critical data, compromising personal, financial, or corporate security.

A well-known and AI-driven cybersecurity platform, Cyble, has identified several high-priority vulnerabilities across products from Microsoft, Qualcomm, and the Common Unix Printing System (CUPS). CVE-2024-47176: Vulnerabilities in CUPS could enable attackers to execute remote code via distributed denial-of-service (DDoS) attacks.

Microsoft’s Patch Tuesday included five new zero-day vulnerabilities, two of which are being actively exploited – and Cyble researchers have observed threat actors discussing the other three zero-days on cybercrime forums. Additionally, Cyble researchers detected 14 vulnerabilities and exploits shared on cybercrime forums that security analysts should also prioritize – including the three Microsoft zero-days not yet under active exploitation.

Microsoft’s Patch Tuesday included five new zero-day vulnerabilities, two of which are being actively exploited – and Cyble researchers have observed threat actors discussing the other three zero-days on cybercrime forums. Additionally, Cyble researchers detected 14 vulnerabilities and exploits shared on cybercrime forums that security analysts should also prioritize – including the three Microsoft zero-days not yet under active exploitation.

The vulnerability tracked as CVE-2024-38200 is an information disclosure in Microsoft Office (multiple versions) that allows attackers to capture sensitive authentication data, such as NTLMv2 hashes, over HTTP and SMB protocols. Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings.