CVE-2024-30104
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on a victim's system by tricking them into opening a specially crafted Office document. It affects Microsoft Office users who open malicious files. Successful exploitation gives attackers the same privileges as the logged-in user.
💻 Affected Systems
- Microsoft Office
📦 What is this software?
365 Apps by Microsoft
365 Apps by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Malware installation, credential theft, or lateral movement within the network.
If Mitigated
Limited impact due to application sandboxing, least privilege accounts, or macro restrictions.
🎯 Exploit Status
Requires social engineering to deliver malicious file. No public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft's monthly security updates for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30104
Restart Required: Yes
Instructions:
1. Open any Office application. 2. Go to File > Account > Update Options > Update Now. 3. Alternatively, use Windows Update for system-wide Office updates. 4. Restart affected systems after patching.
🔧 Temporary Workarounds
Block Office file types via email filtering
allPrevent delivery of potentially malicious Office documents via email
Enable Office Protected View
windowsForce untrusted documents to open in Protected View mode
Set registry key: HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView to 1
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized Office execution
- Use network segmentation to isolate Office systems from critical assets
🔍 How to Verify
Check if Vulnerable:
Check Office version against Microsoft's security bulletin. Vulnerable if running unpatched versions.Check Version:
In Word/Excel: File > Account > About [Application]. Or PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Office*"} | Select-Object Name, VersionVerify Fix Applied:
Verify Office version matches patched version in Microsoft advisory. Check that Windows Update shows no pending Office updates.📡 Detection & Monitoring
Log Indicators:
- Office application crashes, unusual child processes spawned from Office apps, suspicious PowerShell execution from Office context
Network Indicators:
- Outbound connections from Office processes to unknown external IPs, unusual DNS queries from Office applications
SIEM Query:
source="windows" AND (process_name="winword.exe" OR process_name="excel.exe") AND (event_id=4688 OR event_id=1) AND parent_process_name IN ("winword.exe", "excel.exe", "powerpnt.exe")