CVE-2021-43905: Microsoft Office app Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.6)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2021-Dec

Released

2021-12-14

Last Updated

2021-12-16

EPSS Score

0.37% (percentile: 59.0%)

FAQ

How do I get the update for Office app? The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately; see here for details. Be sure to select the tab for the operating system installed on your device to search for updates. It is possible for customers to disable automatic updates for the Microsoft Store. The Microsoft Store will not automatically install this update for those customers. You can get the update through the store here: ms-windows-store://pdp/?productid=9WZDNCRD29V9. How can I check if the update is installed? App versions 18.2110.13110.0 and later contain this update. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (1)

Apps

• Office app

Security Updates (1)

• Release Notes

Acknowledgments

Fabian Bräunlein and Lukas Euler from <a href="https://positive.security">Positive Security</a>, Felix Boulet

Revision History

• 2021-12-14: Information published.
• 2021-12-16: Added an FAQ to indicate the app version that contains the update.