The flaw affected Windows 7 through Windows 11, as well as Windows Server 2008 until 2022.
According to a report from Google’s Threat Analysis Group (TAG) on Wednesday, researchers notified Microsoft about CVE-2022-41128 and the issue was patched “within a few hours.”
“This vulnerability requires that a user with an affected version of Windows accesses a malicious server. An attacker would have to host a specially crafted server share or website,” Microsoft warned at the time. Adding that an attacker would need to entice the intended victim into visiting a specially crafted server share or website to trigger the exploit.
Because Office renders HTML content using IE, the attackers distributed the IE exploit in an Office document. Because, even if Chrome is set as the default, Office defaults to the IE engine when it contacts HTML or web content, IE exploits have been delivered via Office since 2017.
The sources for this piece include an article in ZDNet.