During the first Patch Tuesday of this year, Microsoft fixed a critical severity Office vulnerability that can allow attackers to execute malicious code remotely on vulnerable systems.
The security flaw, identified as CVE-2022-21840, is a remote code execution (RCE) bug that attackers can exploit without privileges on targeted devices in low complexity attacks that require user interaction.
“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing them to open the file,” Microsoft explains.
“In a web attack scenario, an attacker could host a website (or exploit a compromised website that accepts or hosts user-supplied content) that contains a file specially crafted to exploit the vulnerability.
To successfully exploit this critical vulnerability, attackers would have to trick their targets by opening a specially crafted Office document delivered using a link shared through instant messaging or email.
Fortunately, Microsoft claims that the Outlook preview pane cannot be used as an attack vector in attempted exploitation targeting this vulnerability.
However, it can be operated through the preview pane of Windows Explorer like confirmed by Will Dormann, CERT / CC Vulnerability Analyst.
This implies that exploitation is possible without having to trick potential victims to open maliciously crafted Office files, but instead select them only in an explorer window with the preview pane enabled.
MacOS fixes are still “under construction”
Even though Redmond has released security updates for the Microsoft 365 Apps for Enterprise and Windows versions of Microsoft Office, the company is still working on fixes to address the vulnerability on macOS.
Mac users running Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac have been advised that they should wait a bit longer to obtain fixes CVE-2022-21840.
“Security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 not available immediately,” Microsoft said in today’s security advisory.
“Updates will be released as soon as possible, and when available, customers will be notified through a review of this CVE information.”
Microsoft also did not promptly release macOS fixes for an actively exploited Excel Zero-day in November, a serious security feature workaround bug that allows local exploitation by unauthenticated attackers in low complexity attacks that do not require user interaction.
According to CVE information updates, Redmond released security updates for Microsoft Office for Mac a week later, advising users to deploy the fixes to keep their product protected against wildcat attacks.
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
- Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
- Zoom security issues: Everything that’s gone wrong (so far)
- Excel Password Recovery is Easy with these 7 Tools