Four vulnerabilities found in Microsoft Office
Windows users are urged to update their software, after Check Point Research (CPR) discovered four security vulnerabilities that affect products in Microsoft Office suite, including Excel and Office online.
The vulnerabilities are the result of parsing mistakes made in legacy code, leading researchers to believe they have existed for years, and could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook.
Says Yaniv Balmas, head of Cyber Research at Check Point Software: “The vulnerabilities found affect almost the entire Microsoft Office ecosystem. It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others.”
Legacy code continues to be a weak link in the security chain, he adds, particularly in complex software such as Microsoft Office.
“Even though we found only four vulnerabilities on the attack surface in our research, one can never tell how many more vulnerabilities like these are still laying around waiting to be found. I strongly urge Windows users to update their software immediately, as there are numerous attack vectors possible by an attacker who triggers the vulnerabilities that we found.”
How they were found
CPR discovered the vulnerabilities by “fuzzing” MSGraph, a component that can be embedded inside Microsoft Office products in order to display graphs and charts.
Fuzzing is an automated software testing technique that tries to find hackable software bugs by randomly feeding invalid and unexpected data inputs into a computer program, to find coding errors and security loopholes.
By using the technique, the company discovered vulnerable functions inside MSGraph. Similar code checks confirmed that the vulnerable function was commonly used across multiple different Microsoft Office products, such as Excel, Office Online Server and Excel for OSX.
The vulnerabilities found can be embedded in most Office documents, meaning there are a variety of attack vectors that can be employed.
In the simplest one, a victim downloads a malicious Excel file (XLS format), which can be served via a download link or an e-mail, but the attacker cannot force the victim to download it. The victim then opens the malicious Excel file, and the vulnerability is triggered.
Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook and others.
CPR responsibly disclosed to Microsoft, who then issued fixes: CVE-2021-31174, CVE-2021-31178, CVE-2021-31179, CVE-2021-31939 and CVE-2021-31939.
For more information, please visit the CPR technical blog here.