PTA Warns Against Critical Security Flaws in Microsoft Office Apps

The Pakistan Telecommunication Authority (PTA) has released Cyber Security Advisory No. 368, warning users about serious vulnerabilities discovered in multiple Microsoft Office products. The advisory, dated January 14, 2025, classifies the threat as a high-severity vulnerability that could lead to arbitrary code execution and privilege escalation if exploited.

According to the advisory, the affected software includes Microsoft 365 Apps for Enterprise (16.0.1), Microsoft Office 2019 (19.0.0), Microsoft Office LTSC 2021 and 2024 (16.0.1 and 1.0.0, respectively), as well as Microsoft SharePoint Server 2019 and SharePoint Enterprise Server 2016 (both 16.0.0). Specific vulnerabilities have been identified in Visio (CVE-2024-43505), Excel (CVE-2024-43504), and SharePoint (CVE-2024-43503).

The Visio vulnerability may allow local attackers to execute arbitrary code by processing specially crafted content. Similarly, Excel users are exposed to a use-after-free flaw that can enable malicious actors to execute code remotely. The SharePoint vulnerability is particularly concerning, as it could allow authenticated users to escalate their privileges by sending specially designed requests.

The PTA emphasized the urgency of addressing these vulnerabilities to prevent potential security breaches. It noted that these flaws represent significant risks to organizations relying on Microsoft productivity tools, especially those handling sensitive or confidential information. The attack vector focuses on privilege escalation, which could allow threat actors to gain broader access within a compromised system.

To mitigate these risks, the PTA has urged all users and system administrators to ensure their Microsoft software is updated with the latest security patches. The advisory recommends using the Microsoft Security Update Guide to locate and apply the relevant patches and maintain up-to-date systems to defend against known vulnerabilities.