XPost: alt.comp.os.windows-11
From: V@nguard.LH
winston wrote:
> J. P. Gilliver wrote:
>
>> winston wrote:
>>
>>> Mr. Man-wai Chang wrote:
>>>
>>>> Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for
>>>> Active Exploitation
>>>>
>>>>
>>>>
>>>> Microsoft on Monday issued out-of-band security patches for a
>>>> high-severity Microsoft Office zero-day vulnerability exploited in
attacks.
>>
>> Do we have a KB number (or isn't that a valid question these days)?
>>
>>>> The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8
>>>> out of 10.0. It has been described as a security feature bypass in
>>>> Microsoft Office.
>>>>
>>>> "Reliance on untrusted inputs in a security decision in Microsoft Office
>>>> allows an unauthorized attacker to bypass a security feature locally,"
>>>> the tech giant said in an advisory.
>>>>
>>>> "This update addresses a vulnerability that bypasses OLE mitigations in
>>>> Microsoft 365 and Microsoft Office, which protect users from vulnerable
>>>> COM/OLE controls."
>>
>> Are earlier versions (e. g. 2003, 2007) vulnerable?
>>
>>>> Successful exploitation of the flaw relies on an attacker sending a
>>>> specially crafted Office file and convincing recipients to open it. It
>>>> also noted that the Preview Pane is not an attack vector.
>>
>> Would that file be .docx (or whatever)?
>
> You replied to my post, but snipped it's complete content.
> Using the link in my post, can provide the information and answers to
> what you asked.
> - the KB # for 2016, CTR document for 2019 and later
> - Versions supported are update-able and fixable, as in the past earlier
> non-supported versions are not. Likewise, MSFT does not report
> vulnerability to versions older than indicated in the CVE.
> - applies to any malicious Office file => 'whatever' in your terminology
>
> i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.
Not clear if updating Office 2021, what I have, got the necessary fixes,
or if users are still expected to do the registry edits. After
updating, my Office 2021 reports it is at 2601 (build 19628.20150
Click-to-Run). It was at 2512 released on Jan 13 which is before the
Jan 26 date cited for the CVE-2026-21509 patch. Now I'm at 2601, but
haven't found anything in that build description about CVE-2026-21509.
"automatically protected via a service-side change"
Hmm, wonder how users know when that happens, and what to check to
verify if they got the patch, or not. Besides the Jan 26 update, are we
still waiting for an additional patch rollout?
When I click on Update Options -> View updates, I'm taken to:
https://learn.microsoft.com/en-us/officeupdates/current-channel
instead of an actual update history. Nothing mentioned there about CVE
or OLE fixes. There were some OLE fixes mentioned, but way back to
March.
https://learn.microsoft.com/en-us/officeupdates/microsoft365-app
-security-updates
CVE-2026-21509 isn't listed. The MS article you cited mentions the CVE,
but not in which build number the user will see after the patch.
The only add-ins installed into Word are those that came bundled with
the product during installation; i.e., all are Microsoft supplied. I
had an add-in in Outlook (Message Header Analyzer), but it didn't give
me any more info that I could see when viewing all the headers, so I
uninstalled it. That was from MS, too. In Word, I have "Disable all
macros without notification". I don't add scripts into docs, and don't
want to open docs from others that have scripts inside. Same for
Outlook. In Excel, I chose "Disable VBA macros with notification". I
don't use macros in my spreadsheets, but possibly someone else might,
but I will get notified, and very likely deny. I don't see how a
crafted doc could utilize scripts via OLE with macros disabled in all
the MS Office components, and with no non-MS add-ins.
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
