During this year's first
Patch Tuesday, Microsoft has addressed a critical severity Office vulnerability that can let attackers execute malicious code remotely on vulnerable systems.
The security flaw, tracked as
CVE-2022-21840, is a remote code execution (RCE) bug that attackers can exploit with no privileges on the targeted devices as part of low complexity attacks that require user interaction.
"In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file," Microsoft explains.
"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability."
To successfully exploit this critical vulnerability, attackers would have to trick their targets into opening a specially crafted Office document delivered using a link shared via instant messaging or email.
Luckily, Microsoft says that the Windows Explorer preview pane cannot be used as an attack vector in exploitation attempts targeting this vulnerability.
If possible, it would allow successful exploitation without having to trick the potential victims into opening maliciously crafted Office files instead of only having to select them in an Explorer window with the preview pane enabled.
macOS patches are still "under construction"
