CVE-2024-39804 – A library injection vulnerability in Microsoft ... (How to Fix)

Q: What is the severity of CVE-2024-39804?

CVE-2024-39804 has a CVSS score of 7.1 (HIGH). A library injection vulnerability in Microsoft PowerPoint 16.83 for macOS allows malicious applications to inject specially crafted libraries, leveraging PowerPoint's access privileges to bypass permissions. This affects macOS users running the vulnerable version of PowerPoint, potentially enabling privilege escalation.

📋 TL;DR

A library injection vulnerability in Microsoft PowerPoint 16.83 for macOS allows malicious applications to inject specially crafted libraries, leveraging PowerPoint's access privileges to bypass permissions. This affects macOS users running the vulnerable version of PowerPoint, potentially enabling privilege escalation.

💻 Affected Systems

Products:

Microsoft PowerPoint

Versions: 16.83 for macOS

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects PowerPoint 16.83 on macOS; other versions or platforms may not be vulnerable. Requires PowerPoint to be installed and potentially executed.

📦 What is this software?

Powerpoint by Microsoft

View all CVEs affecting Powerpoint →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains elevated privileges on the macOS system, potentially accessing sensitive files, installing malware, or compromising user data using PowerPoint's permissions.

🟠

Likely Case

Local privilege escalation where a malicious application abuses PowerPoint's permissions to perform unauthorized actions, such as reading protected files or executing commands with higher privileges.

🟢

If Mitigated

Limited impact if proper application sandboxing and least privilege principles are enforced, restricting PowerPoint's access to sensitive resources.

🌐 Internet-Facing: LOW, as this is a local vulnerability requiring a malicious application to be installed or executed on the target system.

🏢 Internal Only: MEDIUM, as internal users with local access could exploit this if they run malicious applications, but it requires user interaction or compromised local software.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious application to inject a library and start PowerPoint, implying some level of user interaction or local compromise. No public proof-of-concept has been disclosed as per the references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for the latest patched version; typically, updates are released via Microsoft AutoUpdate or Office updates.

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-39804

Restart Required: Yes

Instructions:

1. Open Microsoft PowerPoint on macOS. 2. Go to Help > Check for Updates. 3. Install any available updates. 4. Restart PowerPoint and the system if prompted.

🔧 Temporary Workarounds

Restrict PowerPoint Execution

macOS

Limit PowerPoint's execution to reduce attack surface by using macOS sandboxing or application controls.

sudo spctl --master-enable
sudo spctl --enable --label "Microsoft PowerPoint"

Use Least Privilege

macOS

Run PowerPoint with reduced privileges or in a restricted user account to minimize impact if exploited.

🧯 If You Can't Patch

Disable or uninstall Microsoft PowerPoint if not needed to eliminate the vulnerability.
Implement strict application whitelisting to prevent unauthorized applications from running alongside PowerPoint.

🔍 How to Verify

Check if Vulnerable:

Check the PowerPoint version: Open PowerPoint, go to PowerPoint > About PowerPoint, and verify if version is 16.83.

Check Version:

defaults read /Applications/Microsoft\ PowerPoint.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

After updating, confirm the version is no longer 16.83 by checking in PowerPoint > About PowerPoint.

📡 Detection & Monitoring

Log Indicators:

Unusual library loading events in macOS system logs (e.g., Console app) related to PowerPoint.
Suspicious process injections or privilege escalation attempts logged by security tools.

Network Indicators:

No direct network indicators as this is a local vulnerability.

SIEM Query:

source="macos_system_logs" AND process="Microsoft PowerPoint" AND event="library injection" OR "privilege escalation"

📊 Metadata

CVE ID: CVE-2024-39804

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-347

Published: December 18, 2024

Last Updated: August 25, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1974 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1974 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39804, you might also want to check these: