CVE-2021-28449: Microsoft Office Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Apr

Released

2021-04-13

Last Updated

2021-04-27

EPSS Score

10.94% (percentile: 93.4%)

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Why am I receiving notifications during file load? Some Office files, templates, or add-ins (even ones originally obtained from Microsoft) may display a notification message. Macros, or add-ins, in those files have been disabled. Please see Side effects after you apply April 2021 security updates for Office for more information. I'm running Office 2010 or Office 2013. Why are my add-ins such as Solver and Analysis ToolPak appearing in a different language after installing this update? This behavior is expected after installing these updates. Please see Side effects after you apply April 2021 security updates for Office to learn the steps in order to display the desired language. I'm running Office 2007. How do I protect myself? Microsoft Office 2007 reached end of support on October 10, 2017. To stay supported, you will need to upgrade to a supported version of Office. If upgrading is not feasible, applying the following mitigations can help protect your system; however, they will disable multiple features in Microsoft Office. To mitigate the vulnerability, all of the following modifications must be made: Remove all Trusted Publishers: See Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system for more information. Disable VBA for Office: See How to turn off Visual Basic for Applications when you deploy Office In addition, for each Microsoft Office 2007 Application, disable the following: Disable all macros without notification: see the Disable untrusted macros without notification section of Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system Disable Trusted Locations: see Plan trusted locations and trusted publishers settings for the 2007 Office system Disable all Application Add-ins: see the Disable add-ins on a per-application basis section of Plan security settings for Active

Affected Products (18)

Microsoft Office

• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Excel 2016 (32-bit edition)
• Microsoft Excel 2016 (64-bit edition)
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)
• Microsoft Excel 2010 Service Pack 2 (32-bit editions)
• Microsoft Excel 2010 Service Pack 2 (64-bit editions)
• Microsoft Excel 2013 RT Service Pack 1
• Microsoft Excel 2013 Service Pack 1 (32-bit editions)
• Microsoft Excel 2013 Service Pack 1 (64-bit editions)
• Microsoft Office 2010 Service Pack 2 (32-bit editions)
• Microsoft Office 2010 Service Pack 2 (64-bit editions)
• Microsoft Office 2013 RT Service Pack 1
• Microsoft Office 2013 Service Pack 1 (32-bit editions)
• Microsoft Office 2013 Service Pack 1 (64-bit editions)

Security Updates (20)

• 4504721
• 4504721
• 4504722
• 4504722
• 3017810
• 3017810
• 4504735
• 4504735
• 2553491
• 2589361
• 4504738
• 2553491
• 2589361
• 4504738
• 4504726
• 3178643
• 3178639
• 4504726
• 3178643
• 3178639

Acknowledgments

<li><a href="mailto: dima@outflank.nl">Dima van de Wouw</a> - Outflank</li> <li><a href="mailto: pieter@outflank.nl">Pieter Ceelen</a> - Outflank</li> <li><a href="https://www.outflank.nl/">Outflank</a></li> , Nathan Shomber of Microsoft

Revision History

• 2021-04-13: Information published.
• 2021-04-27: Updated acknowledgment.