IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image
Researchers identify four new security vulnerabilities in Microsoft Office
Wed, 9th Jun 2021
FYI, this story is more than a year old

Check Point Research has identified four new security vulnerabilities in the Microsoft Office suite.

The malicious code affects a number of products in the suite, including Excel and Office online. The vulnerabilities can enable an attacker to execute code on targets via malicious Office documents, such as Word (.docx), Excel (.xml) and Outlook (.eml). The vulnerabilities are the result of parsing mistakes made in legacy code found in Excel 95 file formats. The researchers believe that the security flaws may have existed for several years.

Check Point Research discovered the vulnerabilities by fuzzing, a type of automated testing, Microsoft Graph, a component that can be embedded inside Microsoft Office products in order to display graphs and charts.

Fuzzing is a technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected data inputs into a computer program, which allows the user, in this case, Check Point Research, to find coding errors and security loopholes. Other code checks were then used to confirm the vulnerable function was commonly used across multiple different Microsoft Office products, such as Excel, Office Online Server, and Excel for OSX.

As the vulnerabilities can be embedded in most Office documents, there are multiple attack vectors that can be used. A simple scenario would be that the victim downloads a malicious Excel file, and once they open the malicious file, the vulnerability is triggered. The fact that the entire Office suite has the ability to embed Excel objects makes for a large attack vector.

Check Point Research says it responsibly disclosed its research finding to Microsoft. Microsoft has since patched the security vulnerabilities.

“The vulnerabilities found affect almost the entire Microsoft Office ecosystem,” says Check Point Software's head of cyber research, Yaniv Balmas.

“It's possible to execute such an attack on almost any Office product, including Word, Outlook and others. We learned that the vulnerabilities are due to parsing mistakes made in legacy code. One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office.

He urges people to update their software, saying, “Even though we found only four vulnerabilities on the attack surface in our research, one can never tell how many more vulnerabilities like these are still lying around waiting to be found. I strongly urge Windows users to update their software immediately, as there are numerous attack vectors possible by an attacker who triggers the vulnerabilities that we found.”

How to Update your Windows PC

  • Select the Start button, then select Settings > Update - security > Windows Update
  • If you want to check for updates manually, select Check for updates
  • Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended)