Advisory 18

TLP Rating: White

Critical vulnerabilities identified in Microsoft Office (Excel _CVE-2021-42292).

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provides the following advisory by its international partners. CERTVU office would like to advise it’s constituents on critical vulnerabilities identified in locally installed versions of Microsoft Excel which allows a cyber-actor to bypass a key security control.

 

What this means

Attackers can use a malicious Microsoft Excel spreadsheet to exploit this vulnerability. This malicious document would then likely be used as part of a spear phishing campaign.

Which Microsoft systems are affected?

All supported versions of Microsoft Excel on Microsoft Office 2013 Service Pack (SP) 1 (64-bit editions), Microsoft Office 2013 SP 1 (32-bit editions), Microsoft Office 2013 RT SP1, Microsoft Office 2016 (64-bit edition), Microsoft Office 2016 (32-bit editions), Microsoft Office LTSC 2021 for 64-bit editions, Microsoft Office LTSC 2021 for 32-bit editions, Microsoft Office 365 Apps for Enterprise for 64-bit systems, Microsoft Office 365 Apps for Enterprise for 32-bit systems, Microsoft Office 2019 for Mac, Microsoft Office 2019 for 64-bit editions and Microsoft Office 2019 for 32-bit editions

What to do

  1. Check your version of Microsoft Office
  2. Apply Security Update for the above Microsoft Office versions as soon as possible.

Security Update guide can be viewed on Microsoft website https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292
If you need assistance, contact CERT Vanuatu on 33380 or email on This email address is being protected from spambots. You need JavaScript enabled to view it.

References

  1. https://www.cyber.gov.au/acsc/view-all-content/alerts/critical-vulnerability-present-certain-versions-microsoft-excel
  2. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292