A high-severity vulnerability has been identified in multiple Microsoft Office products that could allow an attacker to take control of an employee's computer. This flaw, known as a "Use-After-Free," can be triggered when a user opens a specially crafted malicious document, enabling the attacker to execute arbitrary code and potentially steal sensitive data or compromise the network.

This is a Use-After-Free (UAF) vulnerability within Microsoft Office's memory management. An attacker can exploit this by creating a malicious Office file (e.g., a Word document or Excel spreadsheet) and convincing a user to open it. When the file is processed, the application incorrectly attempts to access a memory location that has already been deallocated, allowing the attacker to corrupt memory and execute arbitrary code on the local system with the privileges of the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected user's workstation. The potential consequences include theft of sensitive corporate data, installation of persistent malware or ransomware, unauthorized access to network resources, and the ability for an attacker to pivot to other systems within the corporate network. Given the ubiquitous nature of Microsoft Office documents in business operations, the risk of users encountering a malicious file through phishing or other social engineering tactics is significant.

Immediate Action: The primary remediation is to apply the security updates released by Microsoft to all vulnerable systems immediately. System administrators should use centralized patch management systems to ensure comprehensive deployment. Concurrently, security teams should monitor for indicators of compromise and review system and application logs for any unusual activity related to Office applications.

Proactive Monitoring: Security teams should implement enhanced monitoring focused on Office application behavior. Look for Office processes (e.g., WINWORD.EXE, EXCEL.EXE) spawning suspicious child processes like powershell.exe, cmd.exe, or wscript.exe. Monitor for unusual network connections originating from Office applications to unknown external IP addresses. Endpoint Detection and Response (EDR) solutions should be configured to alert on and block malicious document execution patterns.

Compensating Controls: If immediate patching is not feasible, the following controls can help reduce risk:

• Ensure Microsoft Office Protected View is enabled for all documents originating from the internet or untrusted locations.
• Enforce policies to block or disable macros from running in Office files from untrusted sources.
• Implement user awareness training to reinforce caution against opening unsolicited email attachments or links.
• Utilize application control solutions to prevent Office applications from executing unauthorized code or creating executable files in user-writable directories.

Public Exploit Available: false

Given the high severity (CVSS 7.8) and the potential for local code execution, this vulnerability poses a significant risk to the organization. We strongly recommend that all affected Microsoft Office installations are patched on an emergency basis. Although this CVE is not yet listed on the CISA KEV catalog, its potential for exploitation via common phishing attacks warrants immediate attention. Prioritize patching on systems used by high-risk personnel and on all external-facing workstations.