2026 年 2 月 5 日
Microsoft 近期公告 Office 軟體存在一項安全功能繞過(Security Feature Bypass)漏洞(CVE-2026-21509)。攻擊者可透過釣魚攻擊誘使使用者開啟惡意的 Office 檔案,並利用 Microsoft Office 在安全決策中對未驗證輸入的信任,進而繞過 OLE 安全防護機制,使未經身分驗證的攻擊者得以在本地端進行攻擊。
Microsoft 官方表示該漏洞已遭實際利用,請儘速更新相關軟體以降低風險。
【受影響範圍】
包含 Office 2016、2019、2021、2024 及 Microsoft 365 等所有版本。
【建議處置方式】
自動更新: 針對 Microsoft 365 及 Office 2021 以後的版本,微軟已由雲端派送修補程式。請同仁於收到本通知後,請務必將所有 Office 程式完整關閉並重新啟動一次,以確保更新生效。
手動更新: 使用舊版(2016/2019)的同仁,請檢查 Windows Update 是否有相關安全更新。
安全警覺: 該漏洞必須透過「開啟檔案」才能觸發。請勿點開來路不明的 Email 附件或下載來源可疑的 Office 文件。
Microsoft has recently announced a security feature bypass vulnerability in Microsoft Office (CVE-2026-21509). Attackers may leverage phishing attacks to entice users into opening malicious Office files and exploit Microsoft Office’s security decision process that trusts unverified input, thereby bypassing OLE security protection mechanisms. This allows unauthenticated attackers to perform local attacks.
Microsoft has confirmed that this vulnerability is being actively exploited in the wild. Users are strongly advised to update the relevant software as soon as possible to mitigate potential risks.
【Affected Systems】
All versions are affected, including Office 2016, 2019, 2021, 2024, and Microsoft 365.
【Recommended Action】
Automatic Updates: For Microsoft 365 and Office 2021 and later versions, Microsoft has deployed the security patches via the cloud. Upon receiving this notice, users are required to completely close all Office applications and restart them to ensure that the updates are successfully applied.
Manual Updates: Users running older versions (Office 2016 or 2019) are advised to check Windows Update for the relevant security updates.
Security Awareness: This vulnerability can only be exploited when a file is opened. Users are strongly advised not to open email attachments from unknown sources or download Office documents from untrusted or suspicious websites.