
The weakness is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions, are impacted.
An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Additionally, open-source research suggests that a Rich Text Format file (.rtf) can also trigger the invocation of this exploit through the preview pane within Windows Explorer, thus extending the severity of this threat.
- Workarounds:
Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview. However, if organizations are not yet using ASR, they may wish to run the rule in Audit mode first and monitor the outcome to ensure there is no adverse impact on end users.
To mitigate exploitation organizations may consider removing the file type association for ms-msdt. When the malicious document is opened,
Office will not be able to invoke the application thus preventing the malware from running. Be sure to make a backup of the registry settings prior to using this mitigation.
For more detailed information on next steps, please visit Microsoft Security Response Center.
Sources: Microsoft /Sans.edu / HackerNews