Two days ago, Microsoft released an emergency update for Microsoft Office, resolving CVE-2026-21509, a vulnerability in Office that was found to be exploited in the wild. Microsoft's advisory initially stated that vulnerability details were publicly disclosed, but later reversed that claim. The advisory provided very little information on the vulnerability but it did provide mitigation recommendations for those who can't immediately apply the update.
These recommendations indicate the vulnerability relies on the ability to embed a Shell.Explorer.1 OLE object (Windows Class ID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}) in an Office document. This object is actually an embedded Internet Explorer or Windows Explorer component, and has been an instrument of various exploits and security tricks in the past. Most notably, Yorick Koster wrote a very good article about embedding such objects in Office documents back in 2018, and how double-clicking such embedded object and confirming an (admittedly not too scary-looking) security warning resulted in launching arbitrary executable on user's computer.
Interestingly, exploits described in Yorick's 2018 article still worked on fully updated Microsoft Office until two days ago*, with the January 26, 2026 update disabling them - either intentionally or as a side effect.
So did Microsoft decide to patch Yorick's 2018 exploits in 2026 once exploitation has been detected? Only they know, but it seems unlikely that they'd urgently patch something that required a user to double-click something in a document and then also click through a security warning.
(* As Will Dormann noticed, Microsoft did provide some form of protection against this issue outside of Office updates, likely through Windows Defender, but we have no information on when they did that.)
Microsoft's Patch
We don't know what exactly Microsoft patched with the January 26, 2026 Office update. There are multiple changes in Office binaries, none of which immediately seems like an obvious patch, and said update also didn't set a "kill bit" for Class ID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. We therefore decided not to investigate that further, also because even if we did locate their patch, we'd still need a POC to reproduce the vulnerability and test our own patch. No POC was available at the time of this writing - or if it was available in some malware repository such as Virus Total, it could not be identified based on available information.
Importantly, Microsoft patched this issue for still-supported Office versions, but also for "volume licensed" (MSI) versions of Office 2016 and 2019 - even if they went out of support in October 2025. Remember, volume licensed Office versions are getting updates via Windows Update, and Microsoft announced that these versions may still receive additional security patches after their end-of-support date.
In contrast, click-to-run Office 2016 and 2019 versions actually stopped receiving Microsoft's patches after October 2025, and have not received official patches for this vulnerability (nor did Office 2010 and Office 2013, which we're still providing security patches for). Therefore, we developed our own patches for these versions and issued them today.
Our Patch
Our patch implements Microsoft's workaround from their advisory: it emulates the kill bit for Class ID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, effectively preventing embedded OLE objects of this class from being launched. This is presumably a wider countermeasure that prevents exploitation of CVE-2026-21509 but may also block some other uses of the same OLE object. We find it hard to imagine a legitimate and functional use of this object in an Office document, so we actually prefer such wider approach.
After our patch is applied, opening an embedded Shell.Explorer.1 OLE object in an Office document will be blocked and will result in the following dialog:
Micropatch Availability
Micropatches were written for the following 32-bit and 64-bit security-adopted Microsoft Office versions:
- Microsoft Office 2019 click-to-run - updated with all available updates (version 2508, build 19127.20302)
- Microsoft Office 2016 click-to-run - updated with all available updates (version 2508, build 19127.20302)
- Microsoft Office 2013 - updated with all available updates
- Microsoft Office 2010 - updated with all available updates
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support in October 2025, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
No comments:
Post a Comment