Menu
Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983, under the name Multi-Tool Word for Xenix systems. Commercial versions of Word are licensed as a standalone product or as a component of Microsoft 365 suite of software, which can be purchased either with a perpetual license or as part of a Microsoft 365 subscription, respectively.
In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.
Microsoft reports that the preview pane in Microsoft Word contains a security vulnerability. Previewing a specially crafted file can cause the disclosure of New Technology LAN Manager (NTLM) hashes to unauthorised Actors. Net-NTLMv2 hashes are used for authentication in Windows environments so should not be exposed to unauthorised actors.
If a malicious actor gains access to these NTLM hashes, they could be abused in NTLM relay or pass-the-hash attacks to further an attacker’s foothold into an organization. An attacker can potentially impersonate another user, gaining unauthorized access to sensitive data and systems. They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it. Using a technique known as an exploit chain involving a second vulnerability CVE-2023-36802, an attacker could use both zero-day vulnerabilities in combination in order to obtain user credentials and then take over multiple systems.
NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-09-13. It should be considered a high priority to remediate in vulnerable environments in order to prevent possible exploit.
Customers are advised to upgrade to the latest version of Microsoft Word. Security updates are available at the following links (or may also be obtained via built-in security updates to operating system):
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
(The vendor has not advised of any alternative temporary mitigation or workarounds)
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
Category: Sensitive Data Disclosure
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
