Remote Code Execution – Microsoft Project (CVE-2024-38189).
Microsoft Project is a project management program. It is designed to assist a project manager in developing a schedule, assigning resources to tasks, tracking progress, managing the budget, and analyzing workloads.
The vulnerability was fixed as part of the August Patch Tuesday. The malicious code is executed when the victim opens a special Microsoft Office Project file, received in a phishing email or downloaded from the attacker’s website.
👾 For a successful attack, these security features must be disabled:
🔹 Policy “Block macros from running in Office files from the Internet” (enabled by default).
🔹 “VBA Macro Notification Settings“.
Previewing files in the “Preview Pane” is not an exploitation vector. 👍
As you can see, there are quite a few conditions required for a successful attack, but Microsoft has reported cases of exploitation of the vulnerability in the wild. 🤷♂️