Microsoft Releases Emergency Patch to Address Dangerous Security Hole in Office Applications

Ket. Photo: Microsoft releases security patch (photo: dok. unsplash)

Microsoft has launched an emergency update to fix a security issue in the Office application that is being exploited by hackers. This vulnerability appears with the code CVE-2026-21509.

Microsoft explained that this vulnerability affects Microsoft 365 users, Office 2019, to version 2016. Hackers exploit the gap through phishing attacks by sending malicious documents to targets.

If a user accidentally opens the file, the attacker can bypass local security features and take control of the vulnerable system. A cybersecurity authority report (CVE) states that the feature that can be bypassed by hackers is Object Linking and Embedding (OLE).

"Dependence on untrusted inputs in security decision making in Microsoft Office allows unauthorized attackers to bypass security features locally," explains CVE, quoted on Wednesday, January 28.

Basically, this vulnerability attacks user negligence. Microsoft also stated that, "Attackers must send a malicious Office file to the user and convince them to open it."

To address this vulnerability, Microsoft is launching an automatic update for Microsoft 365 and Office 2021 users. This protection will be active through changes on the service side.

"Customers using Office 2021 and later versions will be automatically protected through changes on the service side, but need to restart their Office applications for these changes to take effect," Microsoft explained.

Meanwhile, the repair process for Office 2016 and 2019 users is reportedly still in the works. Users of the old version are advised to follow the manual guide from Microsoft, including adding a new registry key for temporary protection.

Microsoft continues to monitor the movement of hackers who try to widely distribute this exploit code on the internet. The company is committed to expanding the patch update quickly so that users are safe from hacking threats.