Microsoft Office Type Confusion Vulnerability Leading to Remote Code Execution

A type confusion vulnerability has been identified in Microsoft Office, allowing an unauthorized attacker to execute code locally. This issue arises from the access of a resource using an incompatible type, creating a scenario where an attacker could potentially manipulate the execution flow.

Impact

Exploitation of this vulnerability could result in remote code execution on the affected user's machine.

Reproduction

To exploit this vulnerability, an attacker must send a malicious link to the victim, either via email or instant messaging. The vulnerability can be triggered without requiring the victim to open or click the link, although doing so would increase the likelihood of exploitation.

Remediation

Users can download the security update for Microsoft Office 2016, 2019, and 365 Apps for Enterprise through the Microsoft Update Catalog. For Microsoft Office LTSC 2021 and 2024 for Mac, security updates will be released as soon as possible, with customers being notified when they are available.