Microsoft Patch Tuesday fixes critical Office RCE

Microsoft Patch Tuesday security updates fix a critical Office flaw that can allow remote attackers to execute malicious code on vulnerable systems.

Microsoft Patch Tuesday security updates for January 2022 patch 96 vulnerabilities in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

One of the most severe vulnerabilities is a remote code execution issue, tracked as CVE-2022-21840, is affects Microsoft Office. A remote attacker can exploit this flaw to execute arbitrary code on vulnerable systems.

In an attack scenario described by Microsoft, an attacker could exploit the vulnerability by sending the specially crafted file to the user and tricking it into opening the file.

This flaw has been rated as critical because of the lack of warning dialogs when opening the crafted file. Experts pointed out that at this time Microsoft has yet to release a patch for Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. The IT giant states that the updates will be released as soon as possible.

“Exploitation of the vulnerability requires that a user open a specially crafted file.

• In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
• In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.” states the security advisory published by Microsoft.

“An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”

The advisory states that the Windows Explorer preview pane cannot be used as an attack vector to exploit this vulnerability.

Microsoft Patch Tuesday security updates also address a wormable HTTP Protocol Stack remote code execution vulnerability, tracked as CVE-2022-21907.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)

[adrotate banner=”5″]

[adrotate banner=”13″]