Microsoft fixed several vulnerabilities in various Office products last Tuesday (Patch Tuesday). A malicious party can exploit these vulnerabilities to carry out attacks. For the most critical vulnerability, Proof-of-Concept code (PoC) has now been published.
What is the risk?
The most serious vulnerability is in the preview screen within Microsoft Office. This vulnerability, referred to as CVE-2024-21413, allows an attacker to execute arbitrary code. Applications that use the preview screen, such as Outlook, are vulnerable to this. Successful exploitation requires the malicious party to trick the victim into clicking a rogue link. The vulnerability received a CVSS score of 9.8. The NCSC has decided to scale the security advisory around this vulnerability to High/High after PoC is made publicly available. The PoC currently only shows the potential of the implementation and is not functional. However, the NCSC expects executable exploit code in the near future. This means that there is a high probability that this vulnerability will be exploited, the damage from this could be significant.
Additional Information
The fixed vulnerabilities are further located in Microsoft Office, Microsoft OneNote, Microsoft Skype, Microsoft Teams for Android and Microsoft Word. Here it is important to mention that abuse of the vulnerabilities in Skype and Teams for Android is only possible if the attacker has physical access to the vulnerable system, or is located (as Man-in-the-Middle) in the adjacent network. For a clear overview of the various vulnerabilities: check out the NCSC's security advisory.
What can I do?
Microsoft has made updates available that fix the various vulnerabilities. The Digital Trust Center recommends installing these updates as soon as possible. More information about the vulnerabilities, installing the updates and possible workarounds can be found here.
If you are unsure whether you use the Microsoft Office products listed or have outsourced IT management, contact your IT service provider. Put the urgent request there to implement the necessary measures as soon as possible.
Read more from us: here.
