- Researchers at Cisco Talos have identified a double-free vulnerability in Microsoft Office Excel and reported it to the vendor.
- A specially-crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
- Cisco Talos worked with Microsoft to ensure that this issue was resolved and an update is available for affected customers.
Cisco Talos announced that they have identified a double-free vulnerability in Microsoft Office Excel and reported it to the tech giant. The vulnerability, tracked as CVE-2022-41106, has a CVSSv3 score of 7.8. The vulnerability was reported to Microsoft in late August and the patch was released on the 8th of November, 2022. Marcin ‘Icewall’ Noga of Cisco Talos discovered the vulnerability.
Class attribute double-free vulnerability
According to the announcement, the vulnerability allows an attacker to provide a malicious file to trigger a possible arbitrary code execution. Cisco Talos worked with Microsoft during the fix and an update is released for affected users. Microsoft and Cisco Talos urged users to update the affected products immediately: Microsoft Office Excel 2019 x86 version 2207 build 15427.20210 and version 2202 build 14931.20660.
Cisco Talos stated that the vulnerability can be exploited with a specially-crafted malformed file, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. Cisco Talos said,
« The following Snort rules will detect exploitation attempts against these vulnerabilities: 60500-60501. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. »