Posted on Leave a comment

Microsoft Patches Remote Code Execution Vulnerabilities as a Patch Tuesday Updates.

Microsoft has released the patches for Remote code execution , use-after-free vulnerabilities and other information disclosure vulnerabilities on Microsoft office suite.

Researchers from Checkpoint has discovered 4 security vulnerabilities on MS Office packages such as MS Word and MS Excel. Out of which 2 vulnerabilities are categorized under Remote code execution & Use-After-Free vulnerability and other two are categorized under Information disclosure vulnerability respectively.

Microsoft has released the patches for CVE-2021-31179(Remote Code Execution),CVE-2021-31174(Information Disclosure Vulnerability) and CVE-2021-31178(Information DisclosureChinese Vulnerability) as a May month’s Patch Tuesday updates ,While CVE-2021-31939 (Use-After-Vulnerability) patches is expected to be released during June month’s Patch Tuesday .

Checkpoint researchers had chosen MSGraph COM components on their fuzzing activity as it is one of the oldest piece of code existed since Office 2003 days

Additionally, the researcher stated “MSGraph is a component that can be embedded inside many Microsoft Office products (such as Word, Outlook, PowerPoint, etc.), and is used to display graphs and charts. In terms of attack surface, MSGraph is quite similar to Microsoft Equation Editor 3.0. However, unlike Microsoft Equation Editor, MSGraph is still updated in every Office patch and receives the latest mitigations (such as ASLR and DEP), which makes successful exploitation harder. We later found that this attack surface also applies to other Microsoft Office products, including Excel and Office Online, that share the same code.

Although they researched the single component of Office suite, ” we managed to find several vulnerabilities that affect multiple products in this ecosystem. The results of this research were a set of files that could be embedded in different ways to potentially exploit different Office products across multiple platforms” stated in the Research paper.

Disclosure Timeline

  • 28 Feb 2021 – Initial report to Microsoft.
  • 11 May 2021 – Microsoft fixes CVE-2021-31174, CVE-2021-31178, CVE-2021-31179 (Patch Tuesday)
  • 08 Jun 2021 – Microsoft fixes CVE-2021-31939 (Patch Tuesday)
  • 08 Jun 2021 – Blog release

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply