CVE-2024-38189 · Microsoft Project Remote Code Execution Vulnerability

How could an attacker exploit this vulnerability? Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled allowing the attacker to perform remote code execution. In an email attack scenario, an attacker could send the malicious file to the victim and convince them to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a malicious file designed to exploit the vulnerability. An attacker would have no way to force the victim to visit the website. Instead, an attacker would have to convince the victim to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the malicious file.

The following mitigating factors might be helpful in your situation: Microsoft strongly recommends customers do not disable the Block macros from running in Office files from the Internet policy which protects against this vulnerability. However, customers who have disabled this policy can alternatively enable VBA Macro Notification Settings to protect their systems from this vulnerability being exploited.

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.