Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents.
“Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook,” researchers from Check Point research said in a report published today.
Three of the four flaws — tracked as CVE-2021-31174, CVE-2021-31178, CVE-2021-31179 — have been fixed by Microsoft as part of its Patch Tuesday update for May 2021, with the fourth patch (CVE-2021-31939) to be issued in June’s update rolling out later today.
In a hypothetical attack scenario, the researchers said the vulnerability could be triggered as simply as opening a malicious Excel (.XLS) file that’s served via a download link or an email.
Arising out of parsing mistakes made in legacy code found in Excel 95 file formats, the vulnerabilities were found by fuzzing MSGraph (“MSGraph.Chart.8”), a relatively under-analyzed component in Microsoft Office component that’s at par to Microsoft Equation Editor in terms of the attack surface. Equation Editor, a now-defunct feature in Word, has become a part of the arsenal of several -related threat actors at least since late 2018.
“Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook and others,” Check Point researchers said.
The list of four vulnerabilities are as follows –
- CVE-2021-31179 – Microsoft Office Remote Code Execution Vulnerability
- CVE-2021-31174 – Microsoft Excel Information Disclosure Vulnerability
- CVE-2021-31178 – Microsoft Office Information DisclosureChinese Vulnerability
- CVE-2021-31939 – Microsoft Office use-after-free vulnerability
Microsoft, in its advisory for CVE-2021-31179, had previously noted that exploitation of the vulnerability requires that a user open a specially-crafted file, adding the adversary would have to trick victims into clicking a link that redirects users to the malicious document.
The exact technical details surrounding CVE-2021-31939 are limited, likely in an attempt to allow a majority of users to install the fixes and prevent other threat actors from creating exploits targeting the flaw.
“The vulnerabilities found affect almost the entire Microsoft Office ecosystem,” said Yaniv Balmas, Head of Cyber Research at Check Point. “It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others. One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office.”
Windows users are strongly recommended to apply the patches as soon as possible to mitigate the risk and avoid attacks that could exploit the aforementioned weaknesses.