Check Point cybersecurity specialists reported the discovery of four vulnerabilities in Microsoft Office that could be exploited for the creation of malicious documents in Word and Excel, which would facilitate some attack variants.
The first three flaws (CVE-2021-31179, CVE-2021-31174, and CVE-2021-31178) are considered low-severity and reside in the Microsoft Office suite, allowing threat actors to deploy remote code execution attacks and extract sensitive information. These flaws were fixed in Microsoft’s latest update.
On the other hand, CVE-2021-31939 exists because of an improper input validation in Microsoft Excel. This could be exploited by remote threat actors tricking a user into opening a malicious file or website from which they will be able to execute arbitrary code on the target system.
Successful exploitation of this vulnerability would allow attackers to take full control of the compromised system, so it was assigned a score of 7.7/10 according to the Common Vulnerability Scoring System (CVSS). This flaw is expected to be addressed later this week.
During the analysis, the experts used fuzzing techniques to test the COM component of MSGraph (MSGraph.Chart.8, GRAPH. EXE) which was included in the suite since Office 2003 release. MSGraph can be integrated into the various platforms of the Office suite, including Word, Outlook and PowerPoint.
“This component is very similar to Microsoft Equation Editor 3.0, although MSGraph still receives updates on every Office patch and receives the latest mitigations, making it difficult to successfully exploit. This attack surface can also be adapted to other Microsoft Office products such as Excel and Office Online, as they share the same code,” the Check Point report states.
This is an important finding as it allows the company to take a broader approach to releasing updates: “The main result of this research is confirmation that a set of files can be integrated together for the exploitation of flaws in different Office products, which can be very useful for Microsoft” , the safety report concludes.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science at Miami and started working as a cyber security analyst in 2008. He is actively working as an cyber security investigator. He also worked for security companies like Cisco. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.