Security News > 2021 > June > Microsoft Office MSGraph vulnerability could lead to code execution
Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine.
According to the researchers, the issue is in a MSGraph file parsing function, which "Is commonly used across multiple different Microsoft Office products, such as Excel, Office Online Server and Excel for OSX.".
CVE-2021-31174 - out-of-bounds read vulnerability leading to information disclosure in Microsoft Excel; affects MSGraph, Office Online, and Microsoft Excel.
CVE-2021-31179 - memory corruption vulnerability leading to remote code execution.
The researchers say that all four vulnerabilities can be embedded in most Office documents, leaving room for multiple attack scenarios with the vulnerability being triggered once the victim opens a malicious Office file.
"If exploited, the vulnerabilities would grant an attacker the ability to execute malicious code on targets via specially crafted Office documents," Check Point told BleepingComputer.
News URL
Related news
- Fake Microsoft Office add-in tools push malware via SourceForge (source)
- Microsoft: New Windows scheduled task will launch Office apps faster (source)
- Microsoft Patches 125 Flaws Including Actively Exploited Windows CLFS Vulnerability (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)
- Microsoft releases emergency update to fix Office 2016 crashes (source)
- ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK? (source)
- Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Microsoft: Office 2016 and Office 2019 reach end of support in October (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-11 | CVE-2021-31179 | Unspecified vulnerability in Microsoft products Microsoft Office Remote Code Execution Vulnerability | 0.0 |
| 2021-05-11 | CVE-2021-31174 | Out-of-bounds Read vulnerability in Microsoft products Microsoft Excel Information Disclosure Vulnerability | 0.0 |