Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes 

19.08.24

Threat Intelligence Alerts

Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft 365 Apps for Enterprise. This flaw, identified as CVE-2024-38200, is categorised as high-severity and could allow unauthorised remote attackers to obtain NTLM (NT LAN Manager) hashes, potentially leading to further exploitation. 

The vulnerability is caused by an information disclosure weakness in the affected Office versions. In a typical attack scenario, an attacker could host or compromise a website that includes a specially crafted file designed to exploit this flaw. The attacker would then need to convince the target to visit the site and open the file, possibly through phishing emails or instant messaging. 

It is assessed that this type of weakness could have a high likelihood of exploitation, and threat actors who successfully exploit this vulnerability could potentially steal NTLM hashes, which could be cracked to reveal login credentials. 

Microsoft is actively working on a security update to fully address this vulnerability, but in the meantime, they have implemented an alternative fix on 30 July 2024. Customers using in-support versions of Microsoft Office and Microsoft 365 are already protected, however all users are strongly advised to install the 13 August 2024 updates for a permanent fix. 

Microsoft advises to block outbound NTLM Traffic using the following three methods: 

To mitigate the risk associated with this vulnerability, Cyber and Fraud Centre – Scotland recommends the following actions: