Two critical zero-day vulnerability affecting its Office suite and the Windows operating system has been revealed at Black Hat 2024. Identified as CVE-2024-38200 and CVE-2024-21302, these vulnerabilities may compromise the security and integrity of a system, as well as multiple data in Microsoft products.
CVE-2024-38200: Microsoft Office Spoofing Vulnerability
Nature of the Vulnerability:
CVE-2024-38200 is a spoofing vulnerability, which means that the attacker will be capable of fooling the application into receiving or processing ill-intentionally crafted data as legitimate. This vulnerability affects Microsoft Office applications, particularly in regard to handling specific file formats or content embedded in Office documents.
Attack Vector:
Malicious file crafting: An attacker would create a specially designed file, such as an Office document with embedded data that, upon opening, it triggers the spoofing flaw.
User Interaction Required: This would require exploitation to open a malicious file by the target. The attacker persuades the user to interact with the file through social engineering. This might be in the form of spear phishing emails, fake alerts, or links to compromised websites hosting the file.
Impact:
Unauthorized Disclosure: A successful exploit may allow an attacker to gain unauthorized access to that information which was otherwise protected, or to disclose it. This includes accessing internal data or exfiltrating confidential documents.
Limited by User Action: Since the attack cannot be automated to drive the user to the hostile site or open the file, it is left to user actions to trigger the exploit.
Mitigation and Patching:
Final Patch: The formal patch should be available today on August 13, 2024, as part of Microsoft’s monthly Patch Tuesday updates. This update is highly important; deployment is necessary to prevent the vulnerability.
CVE-2024-38202: Windows Backup Privilege Escalation Vulnerability
CVE-2024-38202 is an elevation of privilege vulnerability in the Windows Backup component. It allows attackers to take advantage of backup operations offered by Windows Backup to regain previously mitigated vulnerabilities or circumvent some Virtualization-Based Security features.
It enables an attacker to exploit a system, even with only base user privileges, by tricking or forcing a higher-privileged user into performing a system restore, such as an administrator. The attackers then manipulate the restore process to change backup data or settings, which may turn off Virtualization Based Security protections or once again expose patched vulnerabilities. This is usually done by tricking the privileged user into restoring compromised backup data.
By the time system restore is done, the vulnerabilities would most likely have been reactivated and may be exploited by attackers to conduct attacks bypassing VBS protections that aim at isolating relevant system components from most types of attacks. This type of risk exposure by the reintroduction of a mitigated vulnerability is major, since it now opens an avenue for attackers to exploit known weaknesses in the system.
Mitigation and Patching:
Ongoing Development: Microsoft is currently working on a security update to address this vulnerability. At the moment, there is no patch released, and end-users are advised to continually check Microsoft’s Security Update Guide on the release of one.
Workarounds:
Audit Policies: configure auditing to log file access and modification events for both backup and restore operations.
Access Controls: Enforce proper access control and permissions on what and who can carry out backup and restore functions.
Prevention:
Administrator Awareness: The administrators and other users who have elevated privileges should be aware of the risk and should make sure to follow best practices to not fall victim to the social engineering attempts.
Backup Security: The security of backup files and operations has to be ensured through encryption and by access only to authorized people.
Conclusion
Both CVE-2024-38200 and CVE-2024-38202 demonstrate two critical vulnerabilities that may play a very significant role both in Office and Windows systems. CVE-2024-38200 shows that special attention needs to be paid to social engineering attacks and timely patching. CVE-2024-38202 underlines the dangers of backup and restore operations, especially in VBS-enabled environments.
Fixing the recommended security measures in place and keeping pace with Microsoft’s advisories are the two most important lines of defense against these vulnerabilities.
No responses yet