Microsoft Office lets hackers execute arbitrary code, update now

A newly discovered flaw in Excel lets hackers run arbitrary code

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers from Cisco Talos recently discovered a high-severity vulnerability inMicrosoftOffice that would allow potential threat actors to remotely execute malicious code on the target endpoint.

Announcing the news in a short blog post published earlier this week, theoffice softwaredeveloper said its researcher Marcin ‘Icewall’ Noga uncovered a class attribute double-free vulnerability affectingMicrosoft Excel.

By running a weaponized Excel file, the victim would allow the attacker to execute arbitrary code on their device. The vulnerability is now being tracked as CVE-2022-41106, and other than that, details are scarce.

What we do know is that Microsoft was notified and has already provided a patch. Excel users are advised to update their software to version 2207 build 15427.20210 and version 2202 build 14931.20660.

Targeting office workers

Microsoft’sproductivitysuite continues to be one of the most popular attack vectors among cybercriminals. Up until recently, Office documents with malicious macros, distributed via email, were the most popular way to have office workers download and run malware on their computers, opening up the doors to more destructive cyberattacks such asransomwareoridentity theft.

Microsoft Excel is making a big change to protect against malware>Microsoft Office is finally making this vital security change across Excel, Word and more>Here are the best antivirus programs around

More recently, Microsoft decided to prevent the software from running macros at all, in files downloaded from the internet, as opposed to the trusted, local network.

That prompted cybercriminals to move away from macros and into Windows shortcut files (.lnk) which are now widely used to side-load malicious .dlls, and other kinds of malware.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Regardless of the security measures implemented by software makers and companies, one truth remains - the employees are still the weakest link in the cybersecurity chain. Unless they are educated and trained to stop cyberattacks, crooks will always find a way to trick them into downloading and running malware.

Besides this, making sure the staff isn’t overworked and distracted can also help improve the cybersecurity posture of any company.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Apple iMac 24-inch M4 (2024) review: the best, and most colorful, all-in-one computer levels up