"The flaw, tracked as CVE-2026-21509, and slapped with a CVSS score of 7.8, falls into Microsoft's "security feature bypass" bucket. In practice, this means attackers can dodge protections that are supposed to stop unsafe legacy components from running. Those components include COM and OLE - old Windows plumbing that's been at the heart of document-based attacks for years and clearly hasn't earned its retirement yet."
"According to Microsoft, exploitation doesn't hinge on the Office preview pane - often a red flag in past campaigns - but still requires little effort once a victim is persuaded to open a booby-trapped file. In its advisory, the company describes the issue as a case of "reliance on untrusted inputs in a security decision," a polite way of saying Office can be talked into doing things it shouldn't."
Microsoft released an emergency Office patch for a zero-day, CVE-2026-21509, rated 7.8 and classified as a security feature bypass. The flaw allows attackers to evade protections and run legacy COM and OLE components by convincing users to open a malicious Office file; exploitation does not depend on the preview pane. Most current Office builds are affected, including Office 2016, 2019, LTSC releases, and Microsoft 365 Apps for Enterprise. Updates are available for newer versions while fixes for Office 2016 and 2019 are pending. Mitigations include manually blocking vulnerable COM and OLE controls via registry COM Compatibility keys and Compatibility Flags DWORD values.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]