A high-severity vulnerability has been discovered in multiple Microsoft Office products that could allow an attacker to take full control of a user's computer. If a user opens a specially crafted malicious document, the attacker can execute arbitrary code, potentially leading to data theft, malware installation, or further network intrusion. Due to the widespread use of Microsoft Office, this vulnerability poses a significant risk to the organization.

This is a Use-After-Free memory corruption vulnerability. An attacker can exploit this flaw by creating a specially crafted Office file (e.g., a Word document or Excel spreadsheet) and convincing a user to open it. When the file is opened, the Office application incorrectly attempts to access a portion of memory that has already been deallocated, allowing the attacker-controlled data within the malicious file to be executed as code with the same permissions as the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 8.4. Successful exploitation would grant an attacker local code execution capabilities on the affected workstation. This could lead to a complete system compromise, enabling the attacker to install persistent malware such as ransomware or spyware, exfiltrate sensitive corporate data, manipulate or delete files, and use the compromised machine as a pivot point to move laterally across the corporate network. The primary risks include data breaches, financial loss, operational disruption, and reputational damage.

Immediate Action: The primary remediation is to apply the security updates released by Microsoft across all affected endpoints immediately. System administrators should prioritize the deployment of these patches through standard update management systems like WSUS or Microsoft Endpoint Configuration Manager.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes looking for Office applications (e.g., winword.exe, excel.exe) spawning unusual child processes like cmd.exe or powershell.exe in endpoint detection and response (EDR) logs. Additionally, monitor for unexpected network connections originating from Office applications to unknown or malicious IP addresses.

Compensating Controls: If patching cannot be deployed immediately, implement the following controls to mitigate risk:

• Ensure Microsoft Office Protected View is enabled, as it opens documents from untrusted sources in a sandboxed environment.
• Enable Attack Surface Reduction (ASR) rules to block Office applications from creating child processes or writing executable content.
• Reinforce user awareness training, advising employees to be cautious of unsolicited attachments and to never disable Protected View.

Public Exploit Available: false

Given the high CVSS score and the prevalence of Microsoft Office within the enterprise, this vulnerability represents a significant and immediate threat. We strongly recommend that organizations prioritize the testing and deployment of the vendor-supplied security patches to all workstations and servers running affected versions of Microsoft Office. Although there is no evidence of active exploitation at this time, the risk of future exploitation is high, and proactive patching is the most effective defense.