Latest News

**How could an attacker exploit this vulnerability?** Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled allowing the attacker to perform remote code execution. * In an email attack scenario, an attacker could send the malicious file to the victim and convince them to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a malicious file designed to exploit the vulnerability. An attacker would have no way to force the victim to visit the website. Instead, an attacker would have to convince the victim to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the malicious file.

**Windows 11, version 24H2 is not generally available yet. Why are there updates for this version of Windows listed in the Security Updates table?** The new Copilot+ devices that are now publicly available come with Windows 11, version 24H2 installed. Customers with these devices need to know about any vulnerabilities that affect their machine and to install the updates if they are not receiving automatic updates. Note that the general availability date for Windows 11, version 24H2 is scheduled for later this year.

**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) but have no effect on integrity (I:N) or on availability (A:N). What does that mean for this vulnerability?** An attacker who successfully exploited the vulnerability could view sensitive information (Confidentiality). While the attacker can not make changes to disclosed information (Integrity) and limit access to the resource (Availability).

**How could an attacker exploit this vulnerability?** An authenticated attacker with permissions to execute commands on the Azure CycleCloud instance could send a specially crafted request that returns the storage account credentials and runtime data. The attacker can then use the comprised credentials to access the underlying storage resources and upload malicious scripts which will be executed as Root, enabling remote code execution to be performed on any cluster in the CycleCloud instance.

**How do I protect myself from this vulnerability?** The vulnerability pertains to a previous installer version which has been superseded by the new WinRE installer. Since the vulnerability is only exploitable at the install time, users need to take no action to be protected from this vulnerability. See the linked Article in the Security Updates table about the update for your particular Windows version.

**According to the CVSS metric, the attack vector is physical (AV:P). What does that mean for this vulnerability?** To exploit this vulnerability, an attacker needs physical access to the victim's machine.

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

**According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.

**According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?** To successfully exploit this vulnerability, an attacker or the targeted user would need to achieve a high level of control over a machine, as the attack requires access to processes typically restricted from average users. Essentially, the exploitation necessitates elevated privileges on the compromised machine due to the requirement of manipulating processes beyond the reach of standard user permissions.