Fixes released for a serious Microsoft Office zero-day flaw
Microsoft is warning admins of an Office security bypass zero day vulnerability that can be triggered simply by a user opening a document. The flaw is currently being actively exploited.
“The vulnerability is serious,” said Johannes Ullrich, dean of research at the SANS Institute. “The root cause is that Microsoft Office still supports the older OLE document format, which provides access to various OLE components. The effect is similar to what an attacker could do with Office Macros. But Office Macros are typically blocked for documents downloaded from the internet. Microsoft implemented similar protections for OLE components, but this recent exploit found a way to bypass them.”
Despite efforts by Microsoft and email gateway vendors, emails with malicious attachments are still a significant attack vector, he added.
“It is important that organizations roll up this update quickly. Until it has been applied, filters on email gateways or endpoint protection signatures may help mitigate the threat.”
Fortunately the vulnerability, CVE-2026-21509, which has a CVSS score of 7.8, is fixed automatically in Office 2021 and up, however, admins should note that these applications need a restart for the patch to take effect. For Office 2016 and Office 2019, there’s a separate patch.
Jack Bicer, director of vulnerability research at Action1, said that for security teams and CISOs “the urgency is real: don’t wait, prioritize this update immediately, and ensure all Office applications are restarted so the protections take effect without delay.”
The flaw is exploited by sending malicious Office documents and convincing users to open them, “a classic technique that emphasizes the ongoing effectiveness of social engineering in real-world attacks,” he said.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the hole to its catalogue of known exploited vulnerabilities. Vulnerabilities in the catalogue must be remediated by federal civilian executive branch agencies by a specified date.
Asked for comment, a Microsoft spokesperson said the company recommends impacted customers follow the guidance on its CVE page. It also points out that Microsoft Defender has detections in place to block exploitation, and Office’s default Protected View setting provides an extra layer of protection by blocking malicious files from the internet.
“As a security best practice, we encourage users to exercise caution when downloading and enabling editing on files from unknown sources, as indicated in security warnings,” the spokesperson added.
Source:: Computer World
No comments