Security News > 2021 > June > New UAF Vulnerability Affecting Microsoft Office to be Patched Today
Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents.
"Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook," researchers from Check Point research said in a report published today.
Arising out of parsing mistakes made in legacy code found in Excel 95 file formats, the vulnerabilities were found by fuzzing MSGraph, a relatively under-analyzed component in Microsoft Office component that's at par to Microsoft Equation Editor in terms of the attack surface.
"Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook and others," Check Point researchers said.
"The vulnerabilities found affect almost the entire Microsoft Office ecosystem," said Yaniv Balmas, Head of Cyber Research at Check Point.
"It's possible to execute such an attack on almost any Office software, including Word, Outlook and others. One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office."
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/zjewBl9vWEU/new-uaf-vulnerability-affecting.html
Related news
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)