Page 34 - EngineerIt June 2021
P. 34
INDUSTRY NEWS: PRODUCTS, TECHNOLOGY AND INNOVATION
Four security vulnerabilities found in Microsoft Office
heck Point Research (CPR) urges Windows users to update their software, after discovering four
Csecurity vulnerabilities that affect products in Microsoft Office suite, including Excel and Office
online. Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to
execute code on targets via malicious Office documents, such as Word, Excel and Outlook.
Malicious code could have been delivered via Word documents (.DOCX),
Outlook Email (.EML) and most office file formats.
Vulnerabilities are the result of parsing mistakes made in legacy code, leading
CPR to believe security flaws have existed for years.
Discovery
CPR discovered the vulnerabilities by “fuzzing” MSGraph, a component that can be
embedded inside Microsoft Office products in order to display graphs and charts. Fuzzing
is an automated software testing technique that attempts to find hackable software bugs by
randomly feeding invalid and unexpected data inputs into a computer program, in order to find coding
errors and security loopholes. By using the technique, CPR discovered vulnerable functions inside
MSGraph. Similar code checks confirmed that the vulnerable function was commonly used across
multiple different Microsoft Office products, such as Excel, Office Online Server and Excel for OSX.
Yaniv Balmas, head of cyber research at Check
Attack methodology Point Software said: “The vulnerabilities found
The vulnerabilities found can be embedded in most Office documents. Hence there are multiple attack affect almost the entire Microsoft Office
vectors that can be imagined. The simplest one would be: ecosystem. It’s possible to execute such an
1. Victim downloads a malicious Excel file (XLS format). The doc can be served via a download link or attack on almost any Office software, including
an email, but the attacker cannot force the victim to download it ; Word, Outlook and others. We learned that
2. The victim opens the malicious Excel file; the vulnerabilities are due to parsing mistakes
3. The vulnerability is triggered. made in legacy code. One of the primary
learnings from our research is that legacy code
Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, continues to be a weak link in the security
making it possible to execute such an attack on almost any Office software, including Word, Outlook chain, especially in complex software like
and others. Microsoft Office. Even though we found only
four vulnerabilities on the attack surface in our
Responsible disclosure research, one can never tell how many more
CPR responsibly disclosed its research finding to Microsoft. Microsoft patched the security vulnerabilities like these are still lying around
vulnerabilities, issuing CVE-2021-31174, CVE-2021-31178, CVE-2021-31179. The fourth patch was waiting to be found. I strongly urge Windows
issued on Microsoft’s Patch on Tuesday June 8, 2021, classified as (CVE-2021-31939). users to update their software immediately, as
there are numerous attack vectors possible by
How to update your Windows PC an attacker who triggers the vulnerabilities that
1. Select the Start button, then select Settings > Update & security > Windows Update. we found.”
2. If you want to check for updates manually, select Check for updates.
3. Select Advanced options, and then under Choose how updates are installed, select Automatic For more information please visit the Check
(recommended). Point technical blog here.
Visit our website: www.engineerit.co.za
EngineerIT | June 2021 | 32
