{"@odata.context":"https://api.msrc.microsoft.com/sug/v2.0/sugodata/v2.0/en-US/$metadata#vulnerability/$entity","id":"00000000-0000-0000-0000-000002cdce41","releaseDate":"2021-04-13T07:00:00Z","cveNumber":"CVE-2021-28449","cveTitle":"Microsoft Office Remote Code Execution Vulnerability","releaseNumber":"2021-Apr","vulnType":"Security Vulnerability","latestRevisionDate":"2021-04-27T07:00:00Z","cweList":[],"cweDetailsListForSearch":[],"mitreText":"CVE-2021-28449","mitreUrl":"https://www.cve.org/CVERecord?id=CVE-2021-28449","publiclyDisclosed":"No","exploited":"No","latestSoftwareReleaseId":2,"latestSoftwareRelease":"Exploitation Less Likely","olderSoftwareReleaseId":2,"olderSoftwareRelease":"Exploitation Less Likely","denialOfService":"N/A","tag":"Microsoft Office Excel","issuingCna":"Microsoft","issuingCnaId":0,"severityId":0,"impactId":0,"langCode":"en-US","baseScore":"7.8","temporalScore":"7.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C","isMariner":false,"customerActionRequired":true,"customerActionRequiredId":0,"cweDetailsList":[],"articles":[{"articleType":"FAQ","description":"

Is the Preview Pane an attack vector for this vulnerability?

\n

No, the Preview Pane is not an attack vector.

\n","ordinal":10000},{"articleType":"FAQ","description":"

Why am I receiving notifications during file load?

\n

Some Office files, templates, or add-ins (even ones originally obtained from Microsoft) may display a notification message. Macros, or add-ins, in those files have been disabled. Please see Side effects after you apply April 2021 security updates for Office for more information.

\n

I'm running Office 2010 or Office 2013. Why are my add-ins such as Solver and Analysis ToolPak appearing in a different language after installing this update?

\n

This behavior is expected after installing these updates. Please see Side effects after you apply April 2021 security updates for Office to learn the steps in order to display the desired language.

\n

I'm running Office 2007. How do I protect myself?

\n

Microsoft Office 2007 reached end of support on October 10, 2017. To stay supported, you will need to upgrade to a supported version of Office. If upgrading is not feasible, applying the following mitigations can help protect your system; however, they will disable multiple features in Microsoft Office. To mitigate the vulnerability, all of the following modifications must be made:

\n\n
    \n
  1. Disable all macros without notification: see the Disable untrusted macros without notification section of Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system
    2. \n
  2. Disable Trusted Locations: see Plan trusted locations and trusted publishers settings for the 2007 Office system
    3. \n
  3. Disable all Application Add-ins: see the Disable add-ins on a per-application basis section of Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system
    4. \n
\n","ordinal":10000}],"revisions":[{"cveNumber":"CVE-2021-28449","version":1,"revisionDate":"2021-04-13T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Information published.

\n","unformattedDescription":"Information published.","notificationNeeded":false,"notificationSent":false,"sourceId":"5de4a752-9286-eb11-a838-000d3a6d3364"},{"cveNumber":"CVE-2021-28449","version":1.1,"revisionDate":"2021-04-27T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Updated acknowledgment.

\n","unformattedDescription":"Updated acknowledgment.","notificationNeeded":false,"notificationSent":false,"sourceId":"bcac7a4b-7da7-eb11-a83e-000d3a6d3364"}]}