Office victim of four vulnerabilities that Microsoft has covered with Patch Tuesday in May and June
Table of contents:
Talking about an office suite is doing it almost as an obligation of Office. But of course, with such an important deployment in millions of computers, security holes do not take long to appear. And that's what happens with Office applications in Windows 10, victims of four major vulnerabilities
Researchers have discovered that Word, Outlook, Excel, and PowerPoint for Windows 10 are affected by four major security vulnerabilities that can cause a cyber attacker to infect with a single file any unprotected computerFour vulnerabilities that have been fixed with the May Patch Tuesday and June Patch Tuesday
The importance of updating
The bug is caused by a component used to display graphics in various applications. Called MSGraph, this component is present in Word, Excel, Outlook, or PowerPoint. A part of the code inherited from Windows 95 times that has not been properly updated. It is therefore legacy code.
The consequence of this security breach is the presence of four vulnerabilities that have come to be called CVE-2021-31174, CVE-2021-31178, CVE-2021- 31179 and CVE-2021 -31939 Through any of them, an attacker could remotely execute code on our PC just by sending a contaminated file.
According to researchers, vulnerabilities have been discovered using a technique called fuzzing in which data is added randomly to a component to see where it might fail and MSGraph was the one that was affected.
And since it's present in almost every Office application, inserting malicious code into a file and distributing it to infect computers is something not overly complicated.
After the detection of the error, the discoverers followed the usual protocol informing Microsoft of the finding in a timely manner (on February 28), so that the company has published the corresponding system patches For the first three threats, which arrived with the Patch Tuesday of May (on the 11th) while the remaining one was updated this past Tuesday through the Patch Tuesday of june.
Via | Research Checkpoint
