Microsoft disclosed an unpatched zero-day vulnerability (CVE-2024-38200) in specific Office versions, with an expected patch release on August 13, 2024. A temporary alternative fix was activated on July 30, 2024, safeguarding in-support Office versions. The flaw, classified as 'Exploitation Less Likely,' could lead to unauthorized disclosure of sensitive data.
In a web-based attack, the zero-day could be exploited if a user clicks on a specially crafted file hosted on a malicious or compromised site. Microsoft emphasized the importance of updating to the final patch for optimal protection as the temporary fix may not offer complete security against exploitation.
Microsoft suggested blocking TCP 445/SMB outbound traffic using firewalls and VPNs to mitigate the risk of the zero-day vulnerability. Although exploitation is deemed less likely, implementing these measures can enhance security posture against potential attacks.
[
Collection
]
[
|
...
]