MS Office Vulnerabilities
Vulnerabilities are due to outdated code
According to the security researchers, Office suite products are affected, including Excel and Word. The vulnerabilities stem from outdated code and open the possibility for attackers to execute malicious command lines through attempted Office documents.
Check Point Research discovered the vulnerabilities by fuzzing MSGraph, a component that can be embedded in Microsoft Office products to display graphs and charts.
Fuzzing is an automated software testing technique that attempts to find software bugs by randomly feeding invalid and unexpected data inputs into a program to detect code errors and security vulnerabilities. Using this technique, CPR discovered vulnerable functions within MSGraph. Similar code checks confirmed that the vulnerable feature is often used in various Microsoft Office products, such as Excel, Office Online Server, and Excel for OSX. The vulnerabilities are the result of parsing errors in outdated code, leading CPR to believe that the vulnerabilities have been around for years.
Yaniv Balmas, Head of Cyber Research, Products-R & amp; D at Check Point
Yaniv Balmas, Head of Cyber Research at Check Point Software Technologies and responsible for the discovery, explains: “The vulnerabilities found affect almost the entire Microsoft Office ecosystem. It is possible to carry out such an attack against almost any office software, including Word, Outlook and Excel. We realized that the vulnerabilities are due to parsing errors in the legacy code. One of the key findings from our study is that legacy code remains a weak link in the security chain, especially with complex software such as Microsoft Office. Although we found only four vulnerabilities in our investigation, we can never say how many more vulnerabilities of this kind are still lying around waiting to be found. I strongly recommend Windows users to update their software immediately, as there are numerous ways in which an attacker can exploit the vulnerabilities we have found.“
The dangerous: The vulnerabilities found can be embedded in most Office documents. A plurality of attack paths are therefore conceivable. The simplest would be:
- The victim downloads a malicious Excel file (XLS format) or Word file (DOCX format) or Outlook email (EML format). The document can be provided via a download link or email, but the attacker cannot force the victim to download it.
- The victim opens the contaminated file.
- The vulnerability is triggered.
The entire office suite can integrate Excel objects, for example, and in this case this functionality extends the hackers ‘ attack path. Thus, it becomes possible to carry out an attack against almost any office software.
CPR has responsibly shared its research findings with Microsoft. Microsoft has closed the security holes already and the Patches CVE-2021-31174, CVE-2021-31178, and CVE-2021-31179 published. The fourth patch will be released on Microsoft’s Patch Tuesday, June 8, 2021, classified as CVE-2021-31939.