Check Point Research (CPR) urges Windows users to update their software, after discovering four security vulnerabilities that affect products in Microsoft Office suite, including Excel and Office online. Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook.
- Malicious code could have been delivered via Word documents (.DOCX) , Outlook Email (.EML) and most office file formats.
- Vulnerabilities are the result of parsing mistakes made in legacy code, leading CPR to believe security flaws have existed for years
- CPR responsibly disclosed to Microsoft, who then issued fixes: CVE-2021-31174, CVE-2021-31178, CVE-2021-31179, CVE-2021-31939
Check Point Research (CPR) identified four security vulnerabilities affecting products in the Microsoft Office suite, including Excel and Office online. If exploited, the vulnerabilities would grant an attacker the ability to execute code on targets via malicious Office documents, such as Word (.DOCX), Excel (.EXE) and Outlook (.EML). The vulnerabilities are the result of parsing mistakes made in legacy code found in Excel95 File Formats, giving researchers reason to believe that the security flaws have existed for several years.
Discovery
CPR discovered the vulnerabilities by “fuzzing” MSGraph, a component that can be embedded inside Microsoft Office products in order to display graphs and charts. Fuzzing is an automated software testing technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected data inputs into a computer program, in order to find coding errors and security loopholes. By using the technique, CPR discovered vulnerable functions inside MSGraph. Similar code checks confirmed that the vulnerable function was commonly used across multiple different Microsoft Office products, such as Excel, Office Online Server and Excel for OSX.
Attack Methodology
The vulnerabilities found can be embedded in most Office documents. Hence, there are multiple attack vectors that can be imagined. The simplest one would be:
- Victim downloads a malicious Excel file (XLS format). The doc can be served via a download link or an email, but the attacker cannot force the victim to download it
- The victim opens the malicious Excel file
- The vulnerability is triggered
Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook and others.
Responsible Disclosure
CPR responsibly disclosed its research finding to Microsoft. Microsoft patched the security vulnerabilities, issuing CVE-2021-31174, CVE-2021-31178, CVE-2021-31179. The fourth patch will be issued on Microsoft’s Patch Tuesday on June 8, 2021, classified as (CVE-2021-31939).
How to Update your Windows PC
- Select the Start button, then select Settings > Update& security > Windows Update.
- If you want to check for updates manually, select Check for updates.
- Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended).
Yaniv Balmas, Head of Cyber Research at Check Point Software:
“The vulnerabilities found affect almost the entire Microsoft Office ecosystem. It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others. We learned that the vulnerabilities are due to parsing mistakes made in legacy code. One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office. Even though we found only four vulnerabilities on the attack surface in our research, one can never tell how many more vulnerabilities like these are still laying around waiting to be found. I strongly urge Windows users to update their software immediately, as there are numerous attack vectors possible by an attacker who triggers the vulnerabilities that we found.”
© Press Release 2021
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.