Block all Office applications from creating child processes!
It’s time for yet another Office Zero day vulnerability, this one seen to be actively exploited in a number of places up to and including the NATO summit. There is another way to specially craft an Office document to trigger remote code execution when it is opened and those attachments are apparently all over the place. The vulnerability is as of yet unpatched, but there are a few ways to protect yourself and those you know who just love opening mysterious attachments.
If you are running Defender for Office and have blocked child processes you should be safe, those two features together will prevent the code from being able to successfully execute. If you don’t have that option then it’s off to the Registry with you to add in a number of exe files to a key which prevents them from launching a child process. This could be rather problematic for some, as you might want PowerPoint to be able to talk to Excel or Graph.
You can get the list of programs to add, as well as more info, at Bleeping Computer.
"Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," Redmond said today.