Microsoft Patch Tuesday fixes critical Office RCE

Microsoft Patch Tuesday security updates fix a critical Office flaw that can allow remote attackers to execute malicious code on vulnerable systems.

Microsoft Patch Tuesday security updates for January 2022 patch 96 vulnerabilities in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

One of the most severe vulnerabilities is a remote code execution issue, tracked as CVE-2022-21840, is affects Microsoft Office. A remote attacker can exploit this flaw to execute arbitrary code on vulnerable systems.

In an attack scenario described by Microsoft, an attacker could exploit the vulnerability by sending the specially crafted file to the user and tricking it into opening the file.

This flaw has been rated as critical because of the lack of warning dialogs when opening the crafted file. Experts pointed out that at this time Microsoft has yet to release a patch for Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. The IT giant states that the updates will be released as soon as possible.

“Exploitation of the vulnerability requires that a user open a specially crafted file.

In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.” states the security advisory published by Microsoft.

“An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”

The advisory states that the Windows Explorer preview pane cannot be used as an attack vector to exploit this vulnerability.

Microsoft Patch Tuesday security updates also address a wormable HTTP Protocol Stack remote code execution vulnerability, tracked as CVE-2022-21907.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.