Microsoft has fixed several vulnerabilities in various Office products. An attacker can exploit these vulnerabilities to carry out attacks. Read here which updates can help you and your computer(s).
Last Tuesday on Patch Tuesday, Microsoft made a number of updates available that you really should install as soon as possible. A number of serious vulnerabilities have been found. The most serious vulnerability is in the preview screen within Microsoft Office. This vulnerability, designated CVE-2024-21413, could allow an attacker to execute arbitrary code. Applications that use the preview screen, such as Outlook, are vulnerable to this. Successful abuse requires the attacker to trick the victim into clicking a malicious link. The resolved vulnerabilities are also in Microsoft Office, Microsoft OneNote, Microsoft Skype, Microsoft Teams for Android and Microsoft Word. It is important to mention that exploitation of the vulnerabilities in Skype and Teams for Android is only possible if the attacker has physical access to the vulnerable system, or is located (as Man-in-the-Middle) in the adjacent network. For a clear overview of the various vulnerabilities: view the security advice from the NCSC.
What can I do?
Microsoft has made updates available that resolve the various vulnerabilities. The Digital Trust Center recommends installing these updates as soon as possible. Therefore, type update in the search box with the magnifying glass and go to Windows Update to download and install the updates there.
More information about the vulnerabilities, installing the updates and possible workarounds can be found here. If you are not sure whether you use the Microsoft Office products mentioned or have outsourced IT management, please contact your IT service provider. Submit your urgent request to implement the necessary measures as quickly as possible.
To the security updates
Additional information
The vulnerability has received a CVSS score of 9.8. The NCSC has decided to scale up the security advice surrounding this vulnerability to High/High after PoC has been made publicly available. The PoC currently only shows the potential of the output and is not functional. However, the NCSC expects executable exploit code in the short term. This means that there is a high chance that this vulnerability will be exploited, which could cause significant damage.
