Alert Essentials:

A threat actor could craft a malicious link that bypasses the Protected View Protocol in Microsoft Office, resulting in credential theft and Remote Code Execution (RCE) without user assistance. This easy zero-click was recently weaponized and is under active exploit.

Verify Microsoft patches from February 13, 2024, have been deployed to devices in the environment.

Email Team

Detailed Threat Description:

Protected View is an option in Microsoft Office that allows users to open potentially unsafe files as read-only. When enabled, this feature opens Office documents in read-only mode with macros and other content disabled.

Microsoft issued a patch for an improper input validation known as CVE-2024-21413 one year ago. This critical vulnerability, which has a CVSS rating of 9.8, allows attackers to gain RCE by bypassing the Protected View feature.

The bypass is achieved using the file:// protocol and adding an exclamation mark to URLs pointing to attacker-controlled servers. Successful attacks can result in the theft of NTLM credentials and the execution of arbitrary code via maliciously crafted Office documents.

Additionally, the code is sophisticated and exploits when a malicious email opens in Outlook’s preview pane. This easily exploited zero-click weakness is a significant risk for all organizations that have yet to deploy the 2024 fixes.

Customers running impacted Office versions should immediately install all the updates listed for their edition. The flaw has been added to CISA’s Known Exploitable Vulnerabilities (KEV) list, due on February 27, 2025.

Impacts on Healthcare Organizations:

Exploiting this vulnerability allows attackers to bypass security mechanisms like Protected View, enabling them to steal sensitive patient information or other confidential data stored within the network.

Organizations should deploy secure email gateways and tools capable of detecting and blocking malicious hyperlinks to enhance network security. They should also educate staff on identifying phishing attempts, handling suspicious emails, and practicing safe email habits.

Affected Products / Versions:

Product Build Number
Microsoft Office 2016 (32-bit edition) 16.0.5435.1001
Microsoft Office 2016 (64-bit edition) 16.0.5435.1001
Microsoft Office LTSC 2021 for 32-bit editions Click to Run
Microsoft Office LTSC 2021 for 64-bit editions Click to Run
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run
Microsoft Office 2019 for 64-bit editions Click to Run

KBs
5002537, 5002467, 5002522, 5002469, 5002519

CVEs
CVE-2024-21413 – CWE-20 – (CVSS 9.8)

Recommendations:

Engineering Recommendations:

  • Ensure all affected versions of Microsoft Outlook are updated with the latest security patches from Microsoft
  • For Microsoft Exchange Server installations, ensure EPA is enabled, which protects against this vulnerability
  • Implement robust email security solutions capable of detecting and blocking malicious hyperlinks
  • Tenable issued two plugins for CVE-2024-21413 in scan results
    • 190541: Security Updates for Microsoft Office Products C2R (February 2024)
    • 190483: Security Updates for Microsoft Office Products (February 2024)

Leadership/Program Recommendations:

  • Train staff to recognize phishing attempts and avoid clicking on suspicious links
  • Use intrusion detection systems to monitor for exploitation attempts
  • Update incident response plans to ensure your organization is prepared to respond quickly to potential threats related to this vulnerability
  • Evaluate potential vulnerabilities in your supply chain, especially for vendors using Microsoft Exchange Server

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: