好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写文章描述即可。 首先,我仔细阅读了用户提供的文章。文章主要讲的是微软发布了一个紧急更新,修复了Office中的一个零日漏洞CVE-2026-21509。这个漏洞正在被积极利用,影响了多个Office版本,包括2016到2024以及Microsoft 365 Apps。 接下来,我需要提取关键信息:微软发布紧急更新、修复零日漏洞、漏洞编号、影响的Office版本、攻击方式(通过恶意文件)、微软采取的措施(如更新和服务端修复)、以及用户需要采取的补救措施。 然后,我要把这些信息浓缩成100字以内的内容。需要注意的是,不能使用特定的开头语句,所以直接从关键点开始。 最后,确保语言简洁明了,信息准确无误。检查字数是否符合要求,并且内容是否涵盖了所有重要方面。 </think> 微软发布紧急更新修复正在被利用的Office零日漏洞CVE-2026-21509,影响Office 2016至2024及Microsoft 365 Apps。该漏洞可被攻击者通过恶意文件绕过安全保护。微软已提供修复方案,并建议用户安装更新或手动调整注册表以防范风险。 2026-1-26 19:3:54 Author: securityaffairs.com(查看原文) 阅读量:9 收藏
Emergency Microsoft update fixes in-the-wild Office zero-day
Microsoft issued emergency updates to fix an actively exploited Office zero-day, CVE-2026-21509, affecting Office 2016–2024 and Microsoft 365 Apps.
Microsoft released out-of-band security updates to address an actively exploited Office zero-day vulnerability tracked as CVE-2026-21509.
The issue is a security feature bypass vulnerability that affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise.
“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.” reads the advisory that confirms that the issue is actively exploited in the wild. “An attacker must send a user a malicious Office file and convince them to open it.”
The update addresses a flaw that bypasses OLE security protections in Microsoft 365 and Office, exposing users to vulnerable COM/OLE controls.
Microsoft confirmed that the Office Preview Pane is not affected and cannot be used as an attack vector. However the tech giant did not disclose technical details about the attacks exploiting this vulnerability.
Microsoft is working to address the vulnerability in Microsoft Office 2016 and 2019 and announced that security updates will be released as soon as possible.
Microsoft provides mitigations to reduce exploitation risk. Office 2021 and later are protected automatically through a service-side fix after restarting apps. Office 2016 and 2019 require installing the upcoming security update or manually applying a registry change to block vulnerable COM/OLE controls. This involves adding a specific COM Compatibility registry key and setting a Compatibility Flags DWORD value. Users should back up the registry before making changes and restart Office for protections to take effect.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Office)
如有侵权请联系:admin#unsafe.sh