Today, Microsoft has patched five additional Office bugs I discovered and reported recently, following the two Office bugs patched last month.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26629
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24077
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24078
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24079
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24080

Four out of the five are bugs discovered through a novel attack vector in Microsoft Office. Besides the bugs themselves, this attack vector could potentially aid real-world exploitation of Office bugs. As I have repeatedly emphasized, the importance of discovering novel attack vectors cannot be overstated (personally, I’d prefer to call myself an attack vector explorer rather than just a bug hunter). Hopefully I will get time to talk about the details sometime soon!

If you're a defender or just a regular Office user, I recommend using the 64-bit version of Office instead of the 32-bit one, as the 64-bit version makes real-world exploitation much difficult. Timely patching, of course, is also important.

P.S.: If you’d like to "fund" such novel attack vector research in complex software, I’m #opentowork. :)

#Office is now #Microsoft365.
the urls are still office.com, but you might also end up on live.com. if you’re clever microsoft365.com also works.

the login is obviously through microsoftonline.com, sometimes device.login.microsoftonline.com.

if you create a link you might also visit sharepoint.com, which is different but quite the same.

if you want your emails, that would be outlook.office.com, even though office is now microsoft 365.

and now explain a user to detect a #phishing website. 👀