Mitre, Microsoft differ on how severe MS Office flaw really is

There is a distinct difference of opinion on the level of harm a newly revealed Microsoft Office vulnerability exposing NT Lan Manager (NTLM) hashes, being tracked as CVE-2024-38200, could potentially cause to organizations.

The vulnerability affects multiple 32-bit and 64-bit versions of Office, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

As reported in CSO earlier this year, NTLM is the default authentication mechanism that’s used on Windows networks when a computer tries to access various network resources or services, for example, file shares, over the SMB (server message block) protocol.

In a security advisory last updated on Saturday, Microsoft gave the flaw “Exploitation Less Likely” status, which it defines in part as follows: “ Microsoft analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, Microsoft has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers.”

Mitre, on the other hand, states in its analysis that the likelihood of an exploitation from the exposure of NTLM hashes is high, and that information exposures can occur in different ways, key among them being  “the code manages resources that intentionally contain sensitive information, but the resources are unintentionally made accessible.”

The analysis notes that sensitive information could include personal information such as health records, business secrets and intellectual property, network status and configuration, and “system status and environment, such as the operating system and installed packages.”

David Shipley, CEO of Beauceron Security, based in Fredericton, New Brunswick, said Tuesday, ““I think Mitre has it right on this call. I mean, this is a fantastic win for phishing campaigns, which are still the number one way to attack most organizations.”

He added, “If attackers combine this vulnerability with a well-crafted phishing lure, it could be a major headache, particularly if organizations don’t have a good security awareness program and have click rates north of 10%, or in many worst cases, as high as 30%.”

This issue, said Shipley, “is also another reason organizations need to pay attention to what suspicious e-mails their people are reporting. It may be early warning that a vulnerability like this is being targeted.”

The Microsoft advisory said, “the following mitigating factors may be helpful in your situation: Configuring the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy setting provides the ability to allow, block, or audit outgoing NTLM traffic from a computer running Windows Server 2008, Windows Server 2008 R2, or later to any remote server running the Windows operating system. Performing this mitigation allows you to block or audit all attempts to connect to remote servers through NTLM authentication.”

Other mitigations, it said, include adding users to the Protected Users Security Group, “which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible.”

The advisory goes on to say, “in a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”

Final versions of a fix were scheduled to be released on Tuesday.