Microsoft Office Type Confusion Vulnerability Leading to Remote Code Execution

A type confusion vulnerability has been identified in Microsoft Office, allowing an unauthorized attacker to execute code locally. This issue arises from the access of a resource using an incompatible type. The vulnerability is present in several Microsoft Office applications, including Word, Excel, and Outlook, on Windows and Mac platforms. Exploitation requires user interaction, as an attacker must send a malicious file and convince the user to open it.

Impact

Exploitation of this vulnerability allows for remote code execution.

Reproduction

To reproduce this vulnerability, an attacker must send a malicious file to the user and convince them to open it. The Preview Pane can be used to trigger the vulnerability.

Remediation

Security updates are available for Microsoft Office LTSC for Mac 2021 and 2024. Customers should ensure these updates are installed. For Windows users, Microsoft released a security update (KB5002700) and a follow-up update (KB5002623) to address this vulnerability. Customers should install both updates.