Microsoft has patched up to four security holes in its Office suite, which includes Word, Excel, PowerPoint, Outlook and Office Web, Check Point Research announced on Tuesday. These vulnerabilities could allow an attacker to compromise users with malicious Office documents. The cybersecurity company identified the security gaps with an automated software technique called “fuzzing” and reported them to Microsoft in February. While three of the vulnerabilities were fixed last month, the company was able to patch the last one earlier on Tuesday. It is recommended that users update the Microsoft Office suite on their desktops and laptops.
Check Point Research said the vulnerabilities existed in the MSGraph component that is part of Microsoft Office products such as Word, Outlook, PowerPoint and Excel. The code that the researchers examined and that were affected by the vulnerabilities had existed at least since the version of Office 2003 released in August 2003.
“To the best of our knowledge, this component has not received too much attention from the security community, which makes it fertile ground for bugs,” noted Check Point Research in a blog post.
The researchers used the “fuzzing” technique to exploit the weak points with automated software. Using this technique, it was found that most Microsoft Office products were vulnerable to malicious code attacks. This could be provided to users via a specially designed Word document in .docx format, Outlook e-mail in .eml format or an Excel spreadsheet in .xls format.
“We learned that the vulnerabilities are due to parsing errors in the legacy code,” said Yaniv Balmas, Head of Cyber Research at Check Point Software, in a prepared statement. One of the most important findings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office. “
The researchers determined that there could be multiple attack vectors, and the simplest would be if a victim downloads a malicious .xls file.
Check Point Research announced that it disclosed the four vulnerabilities to Microsoft on February 28th. Three of these, classified as CVE-2021-31174, CVE-2021-31178, and CVE-2021-31179, were patched by the software giant on May 11, while the last, identified as CVE-2021-31939, was patched on Tuesday has been fixed.
Check Point Research researchers believe that while Microsoft fixed the four vulnerabilities, there may be a few others that could affect users. It is therefore recommended that you install the latest Microsoft Office suite. Windows 10 users can selectively install the update by going to. walk the settings > Update & security > Windows Update.