CVE-2024-38226

What is Microsoft Publisher?

Microsoft Publisher is a desktop publishing application included in some Microsoft Office / Microsoft 365 suites, used for creating newsletters, brochures, flyers, and marketing materials. Publisher files (.pub) support VBA macros — the same macro scripting mechanism as Word, Excel, and PowerPoint — which enables automation of document tasks. Office macro security controls are a critical defense layer: they block macros in files downloaded from the internet (via Mark-of-the-Web) or prompt users before allowing macros to run, preventing malicious macro-based code execution from phishing documents.

Overview

CVE-2024-38226 is a protection mechanism failure in Microsoft Publisher that allows a specially crafted .pub file to bypass Office macro security policies — executing macros without displaying the expected security warning or block. A user who opens a malicious Publisher file would not be warned that the file contains macros, allowing attacker-controlled code to run silently. Microsoft and CISA simultaneously disclosed this as a zero-day on September 10, 2024, with the same-day KEV addition confirming active exploitation in phishing campaigns.

Affected Versions

Technical Details

CWE-693 (Protection Mechanism Failure). Microsoft Office implements multiple layers of macro security: the Mark-of-the-Web (MOTW) flag marks files downloaded from the internet, Group Policy controls determine whether macros in MOTW-flagged files are blocked or prompted, and Protected View provides a sandboxed read-only mode. CVE-2024-38226 represents a failure in Publisher's enforcement of these macro security controls — a crafted .pub file can cause Publisher to either ignore the MOTW flag, bypass the macro policy check, or suppress the security prompt, causing macros to execute without user notification.

Once macros run, the attacker has code execution in the context of the user running Publisher — typically enabling: downloading and running additional payloads, establishing persistence via registry or scheduled tasks, credential theft, and lateral movement.

Discovery

Confirmed as a zero-day by the simultaneous September 2024 Patch Tuesday and CISA KEV addition. Publisher macro bypass vulnerabilities are less common than their Word/Excel equivalents because Publisher is less widely deployed — but the macro engine is shared, and the bypass is valuable for actors whose phishing targets use Publisher.

Exploitation Context

Office macro bypass zero-days are consistently exploited in spear-phishing campaigns: the malicious document is delivered via email or download link, the victim opens it, macros execute without warning, and a payload (credential stealer, ransomware dropper, remote access tool) is installed. The zero-day value is specifically the silenced security warning — once patched and the prompt is restored, the effectiveness of the phishing lure is significantly reduced because users must actively dismiss a warning before macros run.

Remediation

1. Apply the September 2024 Microsoft Office/Publisher security updates (Patch Tuesday, September 10, 2024).
2. Disable macros in all Office applications by default via Group Policy where macros are not required.
3. Use Attack Surface Reduction (ASR) rules to block Office applications from creating child processes and from injecting code into other processes.
4. Train users to be suspicious of unsolicited Publisher files, particularly those received via email or downloaded from the internet.
5. Deploy email security solutions that scan Office documents for macro indicators and block or quarantine suspicious attachments.