... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

alt.comp.os.windows-10

Steaming pile of horseshit Windows 10

197,590 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 197,003 of 197,590

Boris to winstonmvp@gmail.com

Re: Microsoft Office Zero-Day (CVE-2026-

29 Jan 26 04:38:08

   XPost: alt.comp.os.windows-11   
   From: nospam@invalid.com   
      
   =?UTF-8?B?Li4ud8Khw7HCp8KxwqTDsQ==?=  wrote in   
   news:10lefpf$vf8m$1@dont-email.me:   
      
   > On 1/28/2026 5:45 PM, J. P. Gilliver wrote:   
   >> On 2026/1/28 22:43:36, ...w¡ñ§±¤ñ wrote:   
   >>> J. P. Gilliver wrote on 1/28/2026 2:11 PM:   
   >>>> On 2026/1/28 16:6:23, ...w¡ñ§±¤ñ wrote:   
   >>>> []   
   >>>>   
   >>>>> - Versions supported are update-able and fixable, as in the past   
   >>>>> earlier non-supported versions are not. Likewise, MSFT does not   
   >>>>> report vulnerability to versions older than indicated in the CVE.   
   >>>>   
   >>>> So earlier versions are not fixable (by this patch, anyway), but may   
   >>>> not be vulnerable in the first place.   
   >>>    It would be wise to assume the opposite => vulnerable   
   >>>>   
   >>>>> - applies to any malicious Office file => 'whatever' in your   
   >>>>> terminology   
   >>>>   
   >>>> When I said does it have to be .docx or whatever, I meant does it   
   >>>> have to be (for example) .docx, .xlsx, or whatever, as opposed to   
   >>>> .doc, .xls, and so on - i. e. the "new" formats.   
   >>>    All those file types can include links or phishing content - not   
   >>>    sure   
   >>> why you wouldn't know that.   
   >>   
   >> This thread started about a _specific_ exploit, that MS had released a   
   >> patch to protect against.   
   >   
   > The link provided to the CVE specified the exploit parameter as:   
   > "An attacker must send a user a malicious Office file and convince them   
   > to open it."   
   >  => should be interpreted as any possible 'Office' file, i.e. no   
   > delineation for prior version file extensions.   
   >   
      
   I read the article:   
      
      
      
   I have some questions.   
      
   My understanding is that any of the Office programs in versions 2021 and   
   later, will be protected with a 'service-side change'.  What is a   
   service-side change?   
      
   My understanding is also that if one doesn't open (preview is ok, but why   
   would one bother?) the attached Office document, in any version, there's   
   no harm.   
      
   Additionally, the article gives the updates that should be applied to   
   Office versions 2016 and 2019.  Then, the article gives a registry edit to   
   'mitigate' the issue, I assume for the same Office versions, 2016 and   
   2019.  Why the registry edit if the updates are applied?   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]