As part of the January Patch Tuesday, Microsoft engineers fixed a critical vulnerability in Office that could allow attackers to remotely run malicious code on vulnerable systems.
The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user has to open a special Office document received from the attacker via mail or messenger. Fortunately, it is reported that the Outlook Preview Pane cannot be used as an attack vector.
Alas, renowned cybersecurity expert and CERT/CC analyst Will Dormann adds that the bug can be exploited through the Windows Explorer preview pane. That is, exploitation of the problem is still possible without direct user interaction and opening a malicious Office file. Instead, it is enough to select such a file in the explorer window with the preview pane turned on.
The salt of this situation is that Microsoft has already prepared patches for Microsoft 365 for Enterprise applications and Windows versions of Microsoft Office, but is still working on fixes that eliminate the vulnerability in macOS. Thus, Mac users using Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac will have to wait – there are no fixes for them yet, and the exact release dates have not been reported.
Bleeping Computer notes that in November 2021, Microsoft was also unable to promptly provide Apple users with patches for the actively exploited 0-day vulnerability in Excel. That bug allowed unauthenticated attackers to bypass security mechanisms and launch an attack that did not require user interaction.
Let me remind you that recently we also wrote that Vulnerability in macOS Leads to Data Leakage, as well as that Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities.