Patch now – Hackers exploiting Windows 10 via Microsoft Office
Office for Mere Mortals helps people around the world get more from Word, Excel, PowerPoint and Outlook. Delivered once a week. free.
One of the recent security patches from Microsoft is being actively exploited by hackers hoping to trap people who don’t update their computer quickly. The security bug can use an Office document to infect your computer.
The security hole is in the Internet Explorer browser and the VBscript engine. It affects Windows 7 onwards plus Windows Server 2008 and later versions. In other words, all supported Windows releases.
If you run Windows Update, it should patch your computer for this and many other security bugs in Windows. If you normally wait a week or two (in case of a faulty patch), this is a situation where it’s best to update quickly.
Microsoft Office is the doorway
While Microsoft’s documentation of the bug CVE-2018-8174 talks about VBscript, Internet Explorer and Windows, a careful read shows that Microsoft Office is involved as well.
Redmond says the bug can be exploited by ‘embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine’
Yet again, Microsoft won’t distinguish between the old and new Office document formats. Can the security bug be accessed via ‘.doc .xls .ppt’, ‘.docx .xlsx .pptx’ – either or both types?
Office Watch has the latest news and tips about Microsoft Office. Independent since 1996. Delivered once a week.