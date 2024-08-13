Microsoft disclosed an unpatched zero-day in Office that could be used by threat actors to access sensitive information. The vulnerability in Office has been described as a spoofing flaw that makes use of social engineering to lure users to click on maliciously crafted links.

Attackers could host a website, or use compromised websites, to target users. Links to these maliciously crafted websites are then sent to the targeted users either through email or a message on the Messenger app. Users are lured into clicking on the link, which delivers a file on their systems specifically designed to exploit the vulnerability.

Microsoft is expected to release a formal patch for the vulnerability as soon as 13 August, in the meantime, the Windows-maker has enabled an alternative fix.

The disclosure comes even as Microsoft says it is working on addressing two zero-day flaws that could be exploited to “unpatch” up-to-date Windows systems, opening them up to attacks leveraging older vulnerabilities.

