Researchers from Check Point revealed security vulnerabilities in the Microsoft Office suite that cloud allows attackers to craft weaponized Word and Excel documents.
Analysis of Vulnerabilities in Microsoft Office Component
For the analysis, the experts used fuzzing techniques to test the MSGraph COM component (MSGraph.Chart.8, GRAPH.EXE), a component that was included in the suite since Office 2003 or earlier.
MSGraph is a component that can be embedded inside many Microsoft Office products such as Word, Outlook, PowerPoint, etc., and is used to display graphs and charts. In terms of the attack surface, MSGraph is quite similar to Microsoft Equation Editor 3.0.
Checkpoint experts mention that “MSGraph is quite similar to Microsoft Equation Editor 3.0. However, unlike Microsoft Equation Editor, MSGraph is still updated in every Office patch and receives the latest mitigations (such as ASLR and DEP), which makes successful exploitation harder. We later found that this attack surface also applies to other Microsoft Office products, including Excel and Office Online, that share the same code.”
Therefore experts pointed out the vulnerable function inside MSGraph that is commonly used across multiple different MS Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE), and Excel for OSX.
“We found through code similarity checks that the vulnerable function is commonly used across multiple different Microsoft Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE), and Excel for OSX. We successfully reproduced some of the bugs in these products”, say the researchers from CheckPoint.
Four Vulnerabilities Disclosed
- CVE-2021-31179 – MS Office Remote Code Execution Vulnerability
- CVE-2021-31174 – MS Excel Information Disclosure Vulnerability
- CVE-2021-31178 – MS Office Information DisclosureChinese Vulnerability
- CVE-2021-31939 – MS Office use-after-free Vulnerability
Microsoft fixes CVE-2021-31174, CVE-2021-31178, CVE-2021-31179 (Patch Tuesday) in May 2021.The CVE-2021-31939 is expected to be fixed in June 2021
The research was executed on a single component of Microsoft Office and found many vulnerabilities that affect multiple products in this ecosystem.
As a result, a set of files could be embedded in different ways to potentially exploit different Office products across multiple platforms, Concludes the report.