Microsoft Word Zero-Day Vulnerability

Six Degrees is aware that a new Microsoft exploit has been reported as a zero-day vulnerability in Microsoft Office. This exploit can be exploited using a malicious Word document to enable code execution on a victim’s system. This vulnerability can execute with macros disabled. If the document is changed to .rtf (Rich-Text Format) it can run in the preview window of File Explorer, making this Word document a ‘zero-click exploit’. This threat has been given a CVE rating of 7.8 (High).

This Word document does not contain any malicious code; instead, the document references a remote template. Therefore, standard antivirus software will not mark this document as a threat. We would therefore advise our customers to remain vigilant for phishing attempts and not click anything suspicious, as this has been identified as a point of entry.

Affected products:

  • Word 2013
  • Word 2016
  • Word 2019
  • Word 2021

There is no patch currently available from Microsoft at this time, but rest assured we will continue to monitor the situation.