XPost: alt.comp.os.windows-11
From: winstonmvp@gmail.com
J. P. Gilliver wrote on 1/28/2026 6:26 AM:
> On 2026/1/28 6:42:31, ...w¡ñ§±¤ñ wrote:
>> Mr. Man-wai Chang wrote on 1/27/2026 10:51 PM:
>>> Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for
>>> Active Exploitation
>>>
>>>
>>>
>>> Microsoft on Monday issued out-of-band security patches for a
>>> high-severity Microsoft Office zero-day vulnerability exploited in attacks.
>
> Do we have a KB number (or isn't that a valid question these days)?
>>>
>>> The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8
>>> out of 10.0. It has been described as a security feature bypass in
>>> Microsoft Office.
>>>
>>> "Reliance on untrusted inputs in a security decision in Microsoft Office
>>> allows an unauthorized attacker to bypass a security feature locally,"
>>> the tech giant said in an advisory.
>>>
>>> "This update addresses a vulnerability that bypasses OLE mitigations in
>>> Microsoft 365 and Microsoft Office, which protect users from vulnerable
>>> COM/OLE controls."
>
> Are earlier versions (e. g. 2003, 2007) vulnerable?
>>>
>>> Successful exploitation of the flaw relies on an attacker sending a
>>> specially crafted Office file and convincing recipients to open it. It
>>> also noted that the Preview Pane is not an attack vector.
>>>
> Would that file be .docx (or whatever)?
> []
>
You replied to my post, but snipped it's complete content.
Using the link in my post, can provide the information and answers to
what you asked.
- the KB # for 2016, CTR document for 2019 and later
- Versions supported are update-able and fixable, as in the past earlier
non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.
- applies to any malicious Office file => 'whatever' in your terminology
i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.
--
...w¡ñ§±¤ñ
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
