CVE-2024-38226: Microsoft Publisher Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2024-Sep

Released

2024-09-10

Last Updated

2024-10-06

EPSS Score

1.43% (percentile: 80.7%)

CISA KEV

Listed — due 2024-10-01

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L), privileges are required (PR:L) and user interaction is required (UI:R). How could an attacker exploit this security feature bypass vulnerability? The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.

Affected Products (6)

Microsoft Office

• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Publisher 2016 (32-bit edition)
• Microsoft Publisher 2016 (64-bit edition)

Security Updates (2)

• 5002566
• 5002566

Revision History

• 2024-09-10: Information published.
• 2024-10-06: Updated links to security updates. This is an informational change only.