Microsoft has reported a critical vulnerability in Office Suite, dubbed CVE-2024-21413, requiring immediate patching
: OFFICIAL PATCHING INFORMATION HERE :
In a recent revelation, Microsoft has highlighted a critical vulnerability in its Office suite, identified as CVE-2024-21413, which poses a substantial risk to users by allowing attackers to sidestep essential security protocols. Approximately 97,000 Microsoft Exchange servers are at risk from a critical privilege escalation flaw, which bad actors are currently exploiting. Microsoft issued a fix for this vulnerability, which had been exploited as a zero-day, on February 13. To date, 28,500 servers remain vulnerable.
This security flaw is principally alarming as it compromises the Protected View feature in Office documents, which is designed to safeguard users by opening potentially harmful files in a read-only mode. Instead, this vulnerability authorizes malicious files to be opened in editing mode, directly exposing users to potential cyber risks.
The severity of this issue is further compounded by the fact that the Preview Pane in Office applications serves as a conduit for exploiting this flaw. Even a simple preview of a maliciously crafted Office document can trigger a successful attack, illustrating the ease with which cybercriminals can leverage this vulnerability. Microsoft has underlined that these attacks can be carried out remotely, requiring no authentication or user interaction, thereby categorizing them as “low-complexity” but with “significant potential for damage.”
Upon successful exploitation, attackers could obtain elevated privileges within the system, enabling them to read, write, and delete files at will. More concerning is the ability of these attackers to construct a malicious link that effectively circumvents the Protected View Protocol. This breach could lead to the exposure of sensitive NTLM credential information and facilitate remote code execution (RCE), further escalating the threat landscape.
The vulnerability affects a broad spectrum of Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019, which are currently under extended support. This wide-ranging impact underscores the critical nature of this security flaw and the need for immediate remedial action.
Dubbed the Moniker Link, a novel attack method which is associated with this vulnerability, it is possible to embed malicious links in emails that bypass Outlook’s built-in protections against suspicious links. The security measures can be bypassed by simply adding an exclamation mark (!) after the document extension in a URL pointing to an attacker-controlled server, and the remote resource is accessed without triggering any warnings.
This hyperlink manipulation exploits the MkParseDisplayName API, raising concerns that other software utilizing this API may also be at risk. The potential consequences of an attack leveraging CVE-2024-21413 are grave, including the theft of NTLM credentials and the execution of arbitrary code through malicious Office documents. This overlooked flaw, believed to have existed in the Windows/COM ecosystem for decades, highlights a fundamental vulnerability within the core of COM APIs.
In light of these findings, it is recommended that all Outlook users apply the official patch released by Microsoft to mitigate the risks associated with CVE-2024-21413. Microsoft initially indicated that this bug was being exploited in the wild as zero-day threats, leading to an urgent call for patches. This assertion was, however, later retracted, indicating a miscommunication in the exploitability assessment.
This incident serves as a stark reminder of the ever-present and evolving 2024 cybersecurity threats, and organizations and individual users alike must commit to keeping their software up to date with the latest security patches to protect against unknown cybersecurity vulnerabilities.
