Microsoft fixes critical Office zero-day under active attack

Microsoft has issued urgent, out-of-band security patches to address a critical zero-day vulnerability actively being exploited in Microsoft Office. This high-severity security flaw, identified as CVE-2026-21509, poses a significant risk as it allows attackers to bypass important security features. The vulnerability impacts a wide range of Office versions, from older editions like Office 2016 and 2019 to the latest releases including Office LTSC 2021, Office LTSC 2024, and the cloud-based Microsoft 365 Apps for Enterprise.

It is important to note that while patches are available for most versions, security updates for Microsoft Office 2016 and 2019 are not yet ready. Microsoft has stated these will be released as soon as possible. In the interim, users of these versions must rely on manual mitigation steps to protect their systems.

The exploit requires user interaction, meaning an attacker must trick someone into opening a malicious Office file. Although the preview pane is not a method of attack, the vulnerability can be triggered through relatively simple, low-complexity methods once a file is opened. Microsoft explains that the flaw involves “reliance on untrusted inputs in a security decision,” which lets an unauthorized attacker locally bypass a security feature designed to protect users from vulnerable COM and OLE controls.

For customers using Office 2021 and later, protection is being applied automatically through a service-side update. However, a restart of all Office applications is required for this protection to take full effect.

Since patches are delayed for Office 2016 and 2019, Microsoft has provided a registry-based workaround to reduce the risk of exploitation. The process involves editing the Windows Registry, which should be done with caution after creating a backup.

To apply the mitigation, users should follow these steps:

1. Close all Microsoft Office applications.
2. Create a backup of the Windows Registry.
3. Open the Registry Editor (regedit.exe).
4. Navigate to or create a specific Registry key path, which varies depending on your Office installation (32-bit or 64-bit).
5. Create a new key named `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`.
6. Inside that key, create a new DWORD (32-bit) Value named `Compatibility Flags`.
7. Set the value data to `400` in Hexadecimal.

After completing these steps and restarting Office applications, the mitigation will be active.

A Microsoft spokesperson emphasized that Microsoft Defender currently has detections to block exploitation and that the default Protected View setting offers an additional layer of security by blocking internet-sourced malicious files. The company strongly advises users to be cautious when opening files from unknown sources and to heed security warnings.

This emergency update follows a busy month for Microsoft’s security team. Earlier in January, the Patch Tuesday release addressed 114 flaws, including another actively exploited zero-day. That flaw, an information disclosure vulnerability in the Desktop Window Manager, could allow attackers to read memory addresses. Microsoft also released several other out-of-band updates last week to resolve issues causing system shutdown problems and Outlook client freezes that were introduced by the January patches.

(Source: Bleeping Computer)