Researchers find four vulnerabilities in Microsoft Office

Daniel ZimmermannJune 10, 2021

0 129 1 minute read

Check Point researchers have identified four vulnerabilities affecting Microsoft Office products, including Excel and Office Online.

The vulnerabilities arose in old, legacy code and could allow attackers to execute code through malicious Office documents such as Word(.DOCX), Excel(.XLS), and Outlook(.EML). Even worse, experts believe that these bugs have existed in the code for many years.

Yesterday, June 8, 2021, Microsoft released a patch for a vulnerability affecting the Microsoft Office MSGraph component, which is responsible for displaying graphics and charts.

As it turns out, it can be used to execute code on the target machine. Unfortunately, this component can be embedded in most Office documents.

The discovered vulnerabilities affect almost the entire Microsoft Office ecosystem. This attack can be carried out on almost any Office software, including Word, Outlook, etc. We learned that vulnerabilities arise from parsing errors in legacy code. One of the main findings of our research is that legacy code continues to be a weak link in the security chain, especially in complex software such as Microsoft Office. Although we found only four vulnerabilities in our research, it is impossible to say how many such vulnerabilities are still waiting in the wings. I urge Windows users to update their software immediately.commented Yaniv Balmas, head of research at Check Point Software Technologies.

All bugs were found by fuzzing MSGraph. The reason the researchers focused on testing MSGraph is because it contains code that is at least 17 years old. The attacks associated with this component may be similar to attacks on the Microsoft Equation Editor, the errors in which, corrected in 2017, continue to be actively exploited to this day.

Vulnerabilities in MSGraph were identified as CVE-2021-31939, CVE-2021-31174, CVE-2021-31178 and CVE-2021-31179.

Almost no details about the first bug are available, since the CVE was assigned to it quite recently, and the patch was released only yesterday. It is only known that the problem is of the use-after-free type and may lead to the execution of arbitrary code on the system.

As for the other three flaws, they were all fixed last month:

CVE-2021-31174: OOBR Microsoft Excel Information Disclosure Vulnerability (Medium Severity) affects MSGraph, Office Online, and Microsoft Excel;
CVE-2021-31178: OOBR Integer Overflow Vulnerability for Information Disclosure (Medium Severity).
CVE-2021-31179: Remote Code Execution Memory Corruption Vulnerability (High Severity).

Let me remind you that we talked about the fact that PuzzleMaker Cluster Attacks Companies with 0-Day Vulnerabilities in Windows 10, as well as that Microsoft fixed 17-year-old critical vulnerability in Windows DNS Server.

Sending