Microsoft Office users face a zero-day vulnerability (CVE-2024-38200) with potential data leaks. While a patch is pending, temporary fixes are available. This article details the vulnerability, affected versions, and mitigation strategies.

Continue reading
Microsoft has recently disclosed a critical zero-day vulnerability (CVE-2024-38200) in its Office suite, which could potentially allow unauthorized access to sensitive information.
The vulnerability impacts the following versions of Microsoft Office:
In a typical web-based attack, a malicious actor might host a website (or compromise an existing one) containing a specially crafted file designed to exploit the vulnerability. The attacker would then lure users to visit the website and open the malicious file, potentially through enticing links in emails or instant messages.
While a formal patch is expected to be released on August 13, Microsoft has already enabled an alternative fix through Feature Flighting since July 30, 2024. Additionally, the company recommends the following mitigation strategies:
This disclosure comes amidst Microsoft's ongoing efforts to address two other zero-day flaws (CVE-2024-38202 and CVE-2024-21302) that could potentially bypass Windows security updates and reintroduce old vulnerabilities. Moreover, Elastic Security Labs recently unveiled various methods that attackers can exploit to run malicious apps without triggering Windows Smart App Control and SmartScreen warnings.
Although Microsoft has assessed the exploitation of this vulnerability as "Less Likely," users are strongly encouraged to update their systems with the final patch when it becomes available for optimal protection. Staying vigilant and adopting proactive security measures is crucial in the face of evolving cyber threats.

A publicly accessible registration portal, a misconfigured Entra tenant, and no server-side authorization checks. That was enough to reach the systems controlling live World Cup streams