Microsoft has patched as many as 4 vulnerabilities in its Workplace suite that features Phrase, Excel, PowerPoint, Outlook in addition to Workplace Internet, Examine Level Analysis stated on Tuesday. These vulnerabilities might permit an attacker to influence customers by means of malicious Workplace paperwork. The cybersecurity agency recognized the safety loopholes utilizing an automatic software program approach known as “fuzzing” and reported them to Microsoft in February. Whereas three of the vulnerabilities had been mounted final month, the corporate was in a position to patch the final one earlier on Tuesday. Customers are advisable to replace the Microsoft Workplace suite on their desktops and laptops.
Examine Level Analysis stated that the loopholes existed within the MSGraph part that is part of Microsoft Workplace merchandise together with Phrase, Outlook, PowerPoint, and Excel, amongst others. The code that the researchers examined and located to be impacted by the vulnerabilities existed since at the least the Workplace 2003 launch launched in August 2003.
“To our data, this part has not acquired an excessive amount of consideration from the safety group till now, making it a fertile floor for bugs,” the Examine Level Analysis noted in a weblog publish.
The researchers used the “fuzzing” approach to take advantage of the vulnerabilities utilizing automated software program. By utilizing the approach, it was discovered that a lot of the Microsoft Workplace merchandise had been weak to assaults utilizing malicious code. This may very well be delivered to customers by means of a specifically crafted Phrase doc in .docx format, Outlook Electronic mail in .eml, or an Excel spreadsheet within the .xls format.
“We realized that the vulnerabilities are as a result of parsing errors made in legacy code,” stated Yaniv Balmas, Head of Cyber Analysis at Examine Level Software program, in a ready assertion. One of many major learnings from our analysis is that legacy code continues to be a weak hyperlink within the safety chain, particularly in complicated software program like Microsoft Workplace.”
The researchers famous that there may very well be a number of assault vectors, and the only one can be when a sufferer downloads a malicious .xls file.
Examine Level Analysis stated that it disclosed the 4 vulnerabilities to Microsoft on February 28. Three of those which can be categorized as CVE-2021-31174, CVE-2021-31178, and CVE-2021-31179 had been patched by the software program big on Could 11, whereas the final one that’s recognized as CVE-2021-31939 was mounted on Tuesday.
The researchers at Examine Level Analysis consider that whereas Microsoft has mounted the 4 vulnerabilities, there may very well be some others that will influence customers. It’s, due to this fact, advisable to put in the newest Microsoft Workplace suite. Home windows 10 customers can particularly set up the replace by going to Settings > Replace & safety > Home windows Replace.