Check Point Research, a cybersecurity company, had advised Microsoft Office customers to update their software as soon as possible following the discovery of four security vulnerabilities that enable attackers to take control of a computer, rearrange and access files, and install ransomware.
CVE-2021-31174, CVE-2021-31178, CVE-2021-31179, and CVE-2021-31939 were the security issues identified.
Microsoft has since released a patch for the Office suite, which fixes the four vulnerabilities discovered in Word, Excel, PowerPoint, and Office Web.
The flaws were reportedly discovered in a utility included in Microsoft’s MS Graph software.
Microsoft patched three of the four problems — CVE-2021-31174, CVE-2021-31178, and CVE-2021-31179 — as part of its Patch Tuesday update for May 2021, with the fourth (CVE-2021-31939) was released in June’s update.
According to the researchers, the vulnerability may be exploited as easily as opening a malicious Excel (.XLS) file via a download link or an email in a hypothetical attack scenario.
The vulnerabilities were uncovered through “fuzzing” MSGraph, a program that displays charts and graphs within the Microsoft Office suite.
Fuzzing is an automated software testing approach that involves randomly injecting faulty and unexpected data into a computer program in order to uncover hackable software flaws.
This is done to look for coding faults as well as security flaws.
It is critical that you update to the latest version of Windows and Microsoft Office to ensure that you are no longer vulnerable to the security flaws.
Users can enable automatic updates by going to the Update & Security page in Windows settings and checking the box.
The list of four vulnerabilities are as follows –
- CVE-2021-31179 – Microsoft Office Remote Code Execution Vulnerability
- CVE-2021-31174 – Microsoft Excel Information Disclosure Vulnerability
- CVE-2021-31178 – Microsoft Office Information DisclosureChinese Vulnerability
- CVE-2021-31939 – Microsoft Excel Remote Code Execution Vulnerability
“The vulnerabilities found, affect almost the entire Microsoft Office ecosystem.
It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others.
We learned that the vulnerabilities are due to parsing mistakes made in legacy code”, Yaniv Balmas, Head of Cyber Research at Check Point Software said.
You might also like: Microsoft warns of data stealing malware (StrRAT Fake-Ransomware RAT)
You might also like: Fake Microsoft Authenticator extension spotted in the Chrome Web Store