Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft released critical fixes for three closely related remote code execution (RCE) vulnerabilities<\/a> in Microsoft Outlook and Word that stem from low\u2011level memory\u2011safety flaws in the Word rendering engine and its integration with Outlook Classic.<\/p>\n These bugs, tracked as CVE\u20112026\u201145456, CVE\u20112026\u201145458, and CVE\u20112026\u201147635, are rated Critical with a CVSS v3.1 base score of 8.4, reflecting high impact on confidentiality, integrity, and availability if exploited.<\/p>\n Although the CVSS vectors show a local attack vector (AV:L), Microsoft classifies<\/a> them as remote code execution because a remote attacker can deliver malicious content over the network (for example, via email). At the same time, the actual exploit triggers locally when Office processes the content.<\/p>\n All three vulnerabilities are rooted in unsafe memory handling within the Office document parsing pipeline.<\/p>\n CVE\u20112026\u201145456 and CVE\u20112026\u201147635 involve type confusion<\/a>, where internal data structures are accessed with an incompatible or incorrect type, breaking type safety guarantees at runtime.<\/p>\n In practice, a crafted document can manipulate object layout assumptions so that the Word engine interprets attacker\u2011controlled data as a valid object or pointer.<\/p>\n Once the engine performs operations on that mis\u2011typed object, it can cause controlled memory corruption, which attackers can exploit to execute arbitrary code by hijacking control\u2011flow, such as function pointers or vtable entries.<\/p>\n CVE\u20112026\u201145458 <\/a>involves a use-after-free pattern. In this scenario, Word frees a memory object but continues to hold a dangling pointer to it.<\/p>\n An attacker\u2011crafted document can cause the freed region to be reallocated to attacker\u2011controlled data, so when the stale pointer is later dereferenced, execution flows through data the attacker controls, again enabling code execution.<\/p>\n A key operational detail for defenders is that Outlook Classic uses Word as the rendering engine for email content, including in the Preview Pane.<\/p>\n That means a specially crafted email body or attachment that triggers one of these memory\u2011corruption paths can execute code merely when the message is rendered, without requiring the user to open an attachment explicitly.<\/p>\n From a kill\u2011chain perspective, this allows a remote attacker to send a single weaponized email<\/a> to a target, rely on automatic rendering or user preview in Outlook, and achieve arbitrary code execution with the victim user\u2019s permissions.<\/p>\n Because the vulnerabilities do not require additional privileges or explicit user interaction beyond normal rendering, a successful exploit can be chained with privilege\u2011escalation or lateral\u2011movement techniques to pivot deeper into the environment.<\/p>\n The affected scope includes Microsoft Office LTSC 2024<\/a> (32\u2011bit and 64\u2011bit) and other supported Word\/Outlook builds that use the same rendering components.<\/p>\n Microsoft\u2019s guidance<\/a> stresses that customers must apply all applicable Office security updates to their installations in environments with multiple Office SKUs, and that administrators must ensure each product line receives its corresponding security package.<\/p>\n Some Mac Office channels (Office LTSC for Mac 2021\/2024 and Microsoft 365 for Mac) may receive their patches slightly later than others. However, they are part of the same remediation effort.<\/p>\n From a defensive posture standpoint, patching remains the primary and non\u2011negotiable mitigation, as these are core engine\u2011level issues that cannot be fully neutralized by configuration changes alone.<\/p>\n However, organizations can reduce exploitability and blast radius through layered controls. Hardening Outlook by disabling or limiting Preview Pane<\/a> for untrusted mailboxes, enforcing Protected View for files originating from the internet.<\/p>\n Using Attack Surface Reduction (ASR)<\/a> rules to restrict Office from spawning child processes can materially raise the bar for successful exploitation and post\u2011compromise actions.<\/p>\n On the detection side, security teams should watch for anomalous Word or Outlook processes exhibiting unusual memory\u2011access violations, crashes when rendering specific messages, or suspicious child processes spawned from Office, which can be indicative of exploit attempts or successful code execution.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMicrosoft Outlook and Word RCE Flaws<\/strong><\/h2>\n