Microsoft patched several security vulnerabilities in its Office products on Tuesday last week. Proof-of-concept (PoC) code for the most critical vulnerability has now been published.

The most serious vulnerability lies in the preview screen within Microsoft Office, which has been identified as CVE-2024-21413. Allows an attacker to execute arbitrary code. Applications that use the preview screen, such as Outlook, are vulnerable to this. Successful abuse requires the attacker to trick the victim into clicking on a malicious link. The vulnerability received a CVSS score of 9.8. The NCSC has decided to upgrade the security advisory level surrounding this vulnerability to High/High after the proof of concept (PoC) is made publicly available. But the NCSC warns that executable exploit codes will appear soon. This means that there is a high chance that this vulnerability could be exploited, which could cause serious damage.

Other weaknesses

Other resolved vulnerabilities are in Microsoft Office, Microsoft OneNote, Microsoft Skype, Microsoft Teams for Android, and Microsoft Word. Vulnerabilities in Skype and Teams for Android are only possible if the attacker has physical access to the system, or is located (as a Man-in-the-Middle) in the adjacent network.

NCSC recommends that you install the latest updates for Office applications as soon as possible.

By -Editorial Board-