A high-severity vulnerability has been identified in Microsoft Office that could allow an attacker to take complete control of a user's computer. If an employee opens a specially crafted malicious document (e.g., a Word or Excel file), an attacker could execute code to steal data, install malware, or disrupt business operations. Immediate patching is required to mitigate this significant risk.

The vulnerability is a "Use After Free" flaw. An attacker can exploit this by creating a malicious Microsoft Office document and tricking a user into opening it, typically via a phishing email. When the document is opened, the Office application incorrectly attempts to access a portion of memory that has already been deallocated, allowing the attacker to corrupt the memory state and execute arbitrary code with the same permissions as the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 8.4. Successful exploitation could lead to a complete compromise of the affected user's workstation. The primary business impacts include the potential for data exfiltration of sensitive corporate or customer information, deployment of ransomware leading to significant financial loss and operational downtime, and the use of the compromised system as a foothold to move laterally across the corporate network. These outcomes pose a direct risk to the organization's data integrity, financial stability, and reputation.

Immediate Action: Prioritize and deploy the security updates released by Microsoft for all affected versions of Office. This should be treated as a critical patch and applied as soon as possible through established patch management systems like Microsoft Endpoint Configuration Manager (MECM) or Windows Server Update Services (WSUS).

Proactive Monitoring: Security teams should monitor for indicators of compromise using Endpoint Detection and Response (EDR) tools. Specifically, watch for Office applications (e.g., WINWORD.EXE, EXCEL.EXE) spawning suspicious child processes like powershell.exe, cmd.exe, or wscript.exe. Monitor network logs for unusual outbound connections from workstations to unknown IP addresses following the opening of Office documents.

Compensating Controls: If immediate patching is not feasible, the following controls can reduce risk:

• Ensure Microsoft Office Protected View is enabled for all documents originating from the internet or received as email attachments.
• Implement strict user awareness campaigns warning against opening unsolicited or suspicious Office documents.
• Utilize application control policies to prevent Office applications from creating executable files or running scripts.
• Ensure antivirus and antimalware solutions are up-to-date to detect and block potential malicious payloads.

Public Exploit Available: false

Given the high severity (CVSS 8.4) and the risk of remote code execution, this vulnerability represents a critical threat to the organization. While it is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion once exploitation is observed in the wild. We strongly recommend that all organizations prioritize the immediate testing and deployment of the Microsoft security updates to all systems running vulnerable versions of Microsoft Office to prevent potential system compromise and data breaches.