"Microsoft has released emergency out-of-band security updates to fix an actively exploited zero-day vulnerability in Microsoft Office. The flaw allows threat actors to bypass built-in Office security protections after tricking users into opening malicious files, typically delivered through phishing or social engineering. The vulnerability "... in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," Microsoft said in its advisory."
"CVE-2026-21509 stems from weaknesses in how Microsoft Office enforces Object Linking and Embedding (OLE) security protections, which are designed to limit the risk posed by embedded COM/OLE components inside Office documents. OLE allows documents to embed or link to external objects - such as spreadsheets, scripts, or ActiveX controls - that can execute code or interact with the operating system."
An actively exploited Microsoft Office zero-day, CVE-2026-21509, permits attackers to bypass Object Linking and Embedding (OLE) security protections by manipulating how Office evaluates trust for embedded COM/OLE objects. Attackers craft Office documents that supply maliciously constructed input values to the trust-decision logic, causing Office to misclassify untrusted components as safe. When a user opens a malicious file, typically delivered via phishing or social engineering, the bypassed protections can allow embedded objects to run in a more permissive context and enable code execution. Microsoft released emergency out-of-band updates to address the flaw; users should apply patches and avoid opening suspicious attachments.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]