Four disclosed vulnerabilities in the Office suite, including Excel and Office online, could be used by cybercriminals to spread attack code through Word and Excel documents.
Security researchers from Check Point note “Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook”.
With the May 2021 patch update, Microsoft fixed three of the four vulnerabilities identified as CVE-2021-31174, CVE-2021-31178, and CVE-2021-31179.
As for the fourth vulnerability, CVE-2021-31939, it will be fixed with the fourth patch that will likely be included in the June update released later today.
According to the security researchers, in a hypothetical attack scenario, the vulnerability may be triggered by simply opening a malicious Excel (.XLS) file served via a download link or an email.
The vulnerabilities were discovered by fuzzing MSGraph (MSGraph.Chart.8), a generally under-analyzed component in Office that is comparable in terms of attack surface to Microsoft Equation Editor.
Equation Editor, a now-defunct Word function, has been in the arsenal of multiple-related threat actors since at least late 2018.
The following list contains the four vulnerabilities:
CVE-2021-31179 – Memory Corruption / Office Remote Code Execution flaw
CVE-2021-31174 – OOBR / Excel Information Disclosure flaw
CVE-2021-31178 – Integer Underflow to OOBR / Office Information Disclosure Chinese flaw
CVE-2021-31939 – UAF / Office use-after-free flaw
Microsoft has already stated in its advisory to CVE-2021-31179 that the vulnerability can only be exploited if a user opens a specially designed file. The attacker must trick victims into following a link that takes the user to the malicious document.
The specific technical details regarding CVE-2021-31939 are limited, most likely to allow the majority of users to install the patch and prevent further cybercriminals from developing attacks that target the issue.
Yaniv Balmas, Head of Cyber Research at Check Point stated “The vulnerabilities found affect almost the entire Microsoft Office ecosystem”.
“It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others. One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office”.
Windows users are highly advised to apply the patches as soon as possible in order to avoid attacks that can compromise their system.