Mimecast discovers MS Office vulnerability

Read time 2min 40sec
MS Office vulnerability uncovered.
MS Office vulnerability uncovered.

Mimecast Research Labs has uncovered an information exposure vulnerability in Microsoft Office, dubbed CVE-2019-0560, which, although patched last week, more than likely created the widespread unintended leakage of sensitive information in millions of previously created Office files.

However, Mimecast says it is not aware of any actual exploit of this vulnerability.

In a blog post, Mimecast says the vulnerability was classified as "important" by Microsoft, meaning it has the potential to result in the "compromise of the confidentiality, integrity, or availability of a user's data, or of the integrity or availability of processing resources".

According to the researchers, this incident is reminiscent of the Heartbleed vulnerability that hit the headlines in 2014.

Heartbleed was a serious vulnerability in the popular OpenSSL cryptographic software library. It enabled the stealing of information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications including Web, e-mail, instant messaging and some virtual private networks.

How it was found

In early November last year, Mimecast Research Labs was investigating what it thought at the time was an ordinary false positive malware detection claim from one of its e-mail security customers. In the usual course of business, the company received reports of false positive detections of phishing attacks from its customers, and sometimes, these included the detection of files that appeared to be malicious.

The investigation of a malware strand that was apparently a false positive turned out to be something very different. The researchers discovered the Microsoft Office product had a memory leak, and not just a run-of-the-mill memory leak that merely consumed too much system memory, but one that could lead to the unintended disclosure of information for any unpatched Microsoft Office suite instance using ActiveX controls.

On closer scrutiny, the researchers discovered they did in fact contain machine executable code, which is concerning in a data file such as the Microsoft Word solution. The existence of machine executable code in a data file is considered a key indicator of a potential exploit. In this case, however, the machine executable was merely a fragment, and although not malicious, led to the conclusion that Microsoft Office files that included ActiveX controls were consistently causing memory leaks.

These memory leaks lead to the permanent writing of memory content into different Microsoft Office files. Hence, the potential for the unintended leakage of sensitive information and local machine information, if known, could help attackers execute a malware-enabled, remote execution attack and steal sensitive information.

The Mimecast team says it has evidence of this leak in documents dating back years. Some documents were even found online containing sensitive user information. The company advises all users of this Microsoft Office product to apply the patch as soon as possible.

Login with