Earlier this month, Microsoft released an advisory for two remote code execution vulnerabilities affecting Microsoft Office (CVE-2022-21840), and Microsoft Excel (CVE-2022-21841)
This impacts both PC and Mac users.
In order for the attacker to gain access, the end user would have to be baited into opening a specifically crafted file or visiting a website. In other words, the user must be convinced to take some sort of action by the attacker before the attacker is able to breach the system. For example:
- In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
- In a web-based attack scenario, an attacker could host or leverage a compromised website containing a specially crafted file designed to exploit the vulnerability.
How can you fix this?
At the moment, the security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.
This highlights the need for a robust Security Awareness Training Program. As vulnerabilities are found, vendors cannot always provide an immediate fix. We can, however, count on the bad guys to try taking advantage of these weaknesses.
In the meantime, be on the lookout for available security updates and updates to the CVE.
If you have any additional questions or concerns, please call 502-240-0404 or send us an email at info@mirazon.com