According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. Am I vulnerable to this issue until I install the August 13, 2024 updates? No, we identified an alternative fix to this issue that we enabled via Feature Flighting on 7/30/2024. Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365. Customers should still update to the August 13, 2024 updates for the final version of the fix. When will a final update be available to address this vulnerability? The Security Updates table will be revised when the update is publicly available. If you wish to be notified when these update is released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.
Maturity: Exploit
Metin Yunus Kandemir, <a href="https://jimsrush/">JimSRush</a> with <a href="https://privsec.nz/">PrivSec Consulting</a>