Microsoft Office lets hackers execute arbitrary code, update now

News
By published

A newly discovered flaw in Excel lets hackers run arbitrary code

Zero-day attack
(Image credit: Shutterstock) (Image credit: Shutterstock.com)

Cybersecurity researchers from Cisco Talos recently discovered a high-severity vulnerability in Microsoft Office that would allow potential threat actors to remotely execute malicious code on the target endpoint. 

Announcing the news in a short blog post published earlier this week, the office software developer said its researcher Marcin 'Icewall’ Noga uncovered a class attribute double-free vulnerability affecting Microsoft Excel.

By running a weaponized Excel file, the victim would allow the attacker to execute arbitrary code on their device. The vulnerability is now being tracked as CVE-2022-41106, and other than that, details are scarce. 

What we do know is that Microsoft was notified and has already provided a patch. Excel users are advised to update their software to version 2207 build 15427.20210 and version 2202 build 14931.20660.

Targeting office workers

Microsoft’s productivity suite continues to be one of the most popular attack vectors among cybercriminals. Up until recently, Office documents with malicious macros, distributed via email, were the most popular way to have office workers download and run malware on their computers, opening up the doors to more destructive cyberattacks such as ransomware or identity theft.

Read more

> Microsoft Excel is making a big change to protect against malware

> Microsoft Office is finally making this vital security change across Excel, Word and more

> Here are the best antivirus programs around

More recently, Microsoft decided to prevent the software from running macros at all, in files downloaded from the internet, as opposed to the trusted, local network.

That prompted cybercriminals to move away from macros and into Windows shortcut files (.lnk) which are now widely used to side-load malicious .dlls, and other kinds of malware. 

Regardless of the security measures implemented by software makers and companies, one truth remains - the employees are still the weakest link in the cybersecurity chain. Unless they are educated and trained to stop cyberattacks, crooks will always find a way to trick them into downloading and running malware. 

Besides this, making sure the staff isn’t overworked and distracted can also help improve the cybersecurity posture of any company.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
More about security
Android Logo

Devious new Android malware uses a Microsoft tool to avoid being spotted
Google Chrome

Google Chrome security flaw could have let hackers spy on all your online habits
Samsung Odyssey G9 OLED gaming monitor against a cyan TechRadar deals background

Our favorite ultrawide OLED monitor just got a massive discount for the Amazon Spring Sale - get it now before it nearly doubles in price!
See more latest
Most Popular
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
Render of a new RTX 4000 Max-Q gaming laptop.
I can't say I'm surprised, but Nvidia's RTX 5090 laptop GPU has a big performance leap over its predecessor, according to early benchmarks
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Apple Music on a tablet, showing a new Listening Guide feature
Apple Music Classical just got 3 excellent perks in its biggest upgrade since launch
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound