QID 110458

Date Published: 2024-02-14

QID 110458: Microsoft Office Remote Code Execution (RCE) Vulnerability for February 2024

Microsoft has released February 2024 security updates to fix multiple security vulnerabilities.

This security update contains the following:
Office Click-2-Run and Office 365 Release Notes and
KB5002492
KB5002542
KB5002491
KB5002495
KB5002537
KB5002467
KB5002522
KB5002469
KB5002536
KB5002519

Patched Versions for Microsoft 365 (C2R) are:
Current Channel: Version 2401 (Build 17231.20236)
Monthly Enterprise Channel: Version 2312 (Build 17126.20190)
Monthly Enterprise Channel: Version 2311 (Build 17029.20178)
Semi-Annual Enterprise Channel (Preview): Version 2308 (Build 16731.20550)
Semi-Annual Enterprise Channel: Version 2308 (Build 16731.20550)
Semi-Annual Enterprise Channel: Version 2302 (Build 16130.20916)
Semi-Annual Enterprise Channel: Version 2208 (Build 15601.20870)
Office 2021 Retail: Version 2401 (Build 17231.20236)
Office 2019 Retail: Version 2401 (Build 17231.20236)
Office 2016 Retail: Version 2401 (Build 17231.20236)
Office LTSC 2021 Volume Licensed: Version 2108 (Build 14332.20637)
Office 2019 Volume Licensed: Version 1808 (Build 10407.20032)

QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "graph.exe" to identify vulnerable versions of Microsoft Office.

Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.

Vulnerable products may be prone to Remote Code Execution Vulnerability.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as Critical - 10 severity.

Solution

Customers are advised to refer to these KB Article(s):
KB5002492
KB5002542
KB5002491
KB5002495
KB5002537
KB5002467
KB5002522
KB5002469
KB5002536
KB5002519
and Office Click-2-Run and Office 365 Release Notes for more information regarding these vulnerabilities.

Vendor References

KB5002467 - support.microsoft.com/help/5002467
KB5002469 - support.microsoft.com/help/5002469
KB5002491 - support.microsoft.com/help/5002491
KB5002492 - support.microsoft.com/help/5002492
KB5002495 - support.microsoft.com/help/5002495
KB5002519 - support.microsoft.com/help/5002519
KB5002522 - support.microsoft.com/help/5002522
KB5002536 - support.microsoft.com/help/5002536
KB5002537 - support.microsoft.com/help/5002537
KB5002542 - support.microsoft.com/help/5002542
Office Click-2-Run and Office 365 Release Notes - docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates

CVEs related to QID 110458

CVE-2024-21384 | CVE-2024-20673 | CVE-2024-21413 | CVE-2024-21379 |

Software Advisories

Advisory ID	Software	Component	Link
Microsoft office February 2024			msrc.microsoft.com/update-guide/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].