Microsoft has revealed that there is a serious security flaw in their Office software service, which can be used by threat actors to access sensitive information. It has been described as a spoofing flaw that uses social engineering to lure users to click on maliciously crafted links, which are aiming to mimic the original websites.
This vulnerability is identified as CVE-2024-38200 and rated 7.5 on the Common Vulnerability Scoring System (CVSS) scale. It was discovered by security researchers Jim Rush and Metin Yunus Kandemir, who subsequently reported it to Microsoft. The vulnerability can also be exploited through malicious files disguised as legitimate documents.
Microsoft has also stated this issue and added, "In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability.”
Further, the company has said, “However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
Hence, Microsoft Office users are strongly advised to exercise caution when handling Office documents from unknown or untrusted sources. The official patch is expected to be released on August 13, as part of Microsoft’s regular security update cycle. Currently, the Office versions which are at risk are, Microsoft Office 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Office 2019.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
