November 2025 Windows Updates brought a patch for CVE-2025-62203, a remote code execution vulnerability in Microsoft Excel that could allow a remote attacker to have their malicious code executed on user's computer upon opening an Excel file.
The vulnerability was discovered and reported to Microsoft by Quan Jin with DBAPPSecurity
The Vulnerability
The vulnerability is a use-after-free issue, whereby opening a malicious Excel document results in an already freed memory block being freed again, corrupting the heap. A carefully constructed document could potentially exploit this fact for arbitrary code execution.
The attacker would have to convince the user to open their malicious Excel document. Upon opening the document, Excel complains that the document was damaged and offers to recover it; choosing "Yes" to start the recovery process leads to the vulnerability being triggered.
Among our security-adopted Office versions, we found this vulnerability to affect not only Office 2016 and 2019 click-to-run, but also Office 2013. Office 2010 is not affected.
Microsoft's Patch
Microsoft changed a lot of code in excel.exe, making it hard to identify which of the changes were associated with this issue. Fixing use-after-free issues "by the book" sometimes requires many changes in various parts of the code; instead of trying to untangle these changes, we decided to take our time-tested approach to patching this type of issues.
Our Patch
Our time-tested approach is to remove the superfluous free call. We've done this many times before, and arguably, this approach can lead to a small memory leak (unused memory being left allocated, leading to Excel consuming a little bit more memory each time the execution goes through our patch). However, we assessed that under normal circumstances, the accumulated leak would be very small, and of course reset to zero upon each closing of the Excel application. In addition, the memory leak is likely to only occur in the additional excel.exe process launched for recovering the document in the background, which gets closed after recovery anyway.
Let's see our patch in action on a fully updated Excel 2019 click-to-run, which we have security-adopted last October when it received its last official security patches. First, the user opens the malicious poc.xls document while 0patch is disabled and agrees to have Excel recover it, which results in Excel crashing (as indicated in the Application Event log). With 0patch enabled, doing the same fails to crash Excel.
Micropatch Availability
Micropatches were written for the following 32-bit and 64-bit security-adopted Microsoft Office versions:
- Microsoft Office 2019 click-to-run - updated with all available updates (version 2508, build 19127.20302)
- Microsoft Office 2016 click-to-run - updated with all available updates (version 2508, build 19127.20302)
- Microsoft Office 2013 - updated with all available updates
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Quan Jin with DBAPPSecurity for sharing vulnerability details and POC, which allowed us to create a patch for this issue and protect our users.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support in October 2025, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
No comments:
Post a Comment