Microsoft Office Heap-Based Buffer Overflow Vulnerability Allowing Local Code Execution

A heap-based buffer overflow vulnerability has been identified in Microsoft Office. This vulnerability allows an unauthorized attacker to execute code locally. It affects multiple versions of Microsoft Office, including Office LTSC 2021 and 2024 for both Windows and Mac, Microsoft 365 Apps for Enterprise, Office 2019, Office 2016, and Office Online Server.

Impact

Exploitation of this vulnerability could lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system.

Reproduction

The vulnerability can be exploited by an attacker who convinces a user to open a specially crafted file, potentially through social engineering. The Preview Pane in certain Office applications may also serve as an attack vector, allowing the file to be opened without direct interaction.

Remediation

Users can apply the security updates available through the Microsoft Update Catalog or via the Office Update mechanism. Specific update details can be found in the Microsoft Office Security Update Release Notes.