Beware of Graphics Files in Microsoft Office – Update Now to Patch Critical RCE Vulnerability

CVECVE-2023-36045
CVSScvssV3_1: 7.8
SourceCVE-2023-36045

Microsoft Office is one of the most popular office suites used worldwide by individuals and organizations. Unfortunately, a critical remote code execution (RCE) vulnerability has been discovered in how Microsoft Office handles embedded graphics files.

The vulnerability, tracked as CVE-2023-36045, exists in how Office parses and renders graphics files like JPEG, PNG, GIF etc. A specially crafted file could potentially allow an attacker to execute arbitrary code on the target system with the privileges of the user opening the file. This would allow the attacker to install programs, view, change or delete data, or create new accounts with full user rights.

Attackers often exploit such vulnerabilities by sending malicious files via email attachments or sharing them over unsecured websites. If a user opens the file, their system is left vulnerable to remote takeover without their knowledge.

The CVSS score for this vulnerability is rated 7.8 out of 10, making it a critical issue. All Office users are recommended to update to the latest versions as Microsoft has released security updates to patch this vulnerability. You should enable automatic updates, or manually check for and install all Office updates.

It is also recommended to exercise caution when opening files from untrusted or unknown sources. Be very careful of email attachments even from known senders, as email accounts are commonly compromised. You should avoid enabling macros from untrusted documents. Following basic cybersecurity practices can help prevent exploitation of such vulnerabilities.

References