Six Degrees is aware that a new Microsoft exploit has been reported as a zero-day vulnerability in Microsoft Office. This exploit can be exploited using a malicious Word document to enable code execution on a victim’s system. This vulnerability can execute with macros disabled. If the document is changed to .rtf (Rich-Text Format) it can run in the preview window of File Explorer, making this Word document a ‘zero-click exploit’. This threat has been given a CVE rating of 7.8 (High).
This Word document does not contain any malicious code; instead, the document references a remote template. Therefore, standard antivirus software will not mark this document as a threat. We would therefore advise our customers to remain vigilant for phishing attempts and not click anything suspicious, as this has been identified as a point of entry.
Affected products:
- Word 2013
- Word 2016
- Word 2019
- Word 2021
There is no patch currently available from Microsoft at this time, but rest assured we will continue to monitor the situation.