Microsoft recently patched a critical severity Office vulnerability that might allow attackers to remotely execute malicious malware on susceptible PCs. The security weakness, codenamed CVE-2022-21840, is a remote code execution (RCE) defect that attackers may exploit in low-complexity attacks not involving user input.
According to Microsoft, an attacker might use the vulnerability in an email attack by giving the user a specially constructed file and getting them to open it. In a web-based attack situation, an attacker might host a website (or exploit a hacked website that accepts or hosts user-provided content) with a specially crafted file tailored to exploit the vulnerability.
Attackers would have to fool their victim into opening a specially designed Office document provided via a link shared over instant messaging or email to successfully exploit this severe flaw. Fortunately, Microsoft claims that exploiting this issue cannot leverage the Outlook preview window as an attack vector.
However, CERT/CC vulnerability expert Will Dormann confirmed that it might be exploited using the Windows Explorer preview window. It means that exploitation may be carried out without tricking prospective victims into opening maliciously engineered Office files by simply selecting them in an Explorer window with the preview pane enabled.
Even though security upgrades for Microsoft 365 Apps for Enterprise and Windows versions of Microsoft Office have been issued, the firm is still working on fixes for macOS. Users of Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac were warned that CVE-2022-21840 fixes would have to wait a bit longer.
“The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available,” Microsoft says in the latest security advisory. “The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.”
In November, Microsoft neglected to issue macOS fixes for an actively exploited Excel zero-day, a severe security feature bypass problem that permits local exploitation by unauthenticated attackers in low-complexity attacks that don’t involve user input. According to CVE updates, Redmond released security fixes for the Microsoft Office for Mac zero-day one week later, encouraging customers to install the patches to protect themselves from in-the-wild attacks.