Microsoft has patched as many as four vulnerabilities in its Office suite that includes Word, Excel, PowerPoint, Outlook as well as Office Web, Check Point Research said on Tuesday. These vulnerabilities could allow an attacker to impact users through malicious Office documents. The cybersecurity firm identified the security loopholes using an automated software technique called “fuzzing” and reported them to Microsoft in February. While three of the vulnerabilities were fixed last month, the company was able to patch the last one earlier on Tuesday. Users are recommended to update the Microsoft Office suite on their desktops and laptops.
Check Point Research said that the loopholes existed in the MSGraph component that is a part of Microsoft Office products including Word, Outlook, PowerPoint, and Excel, among others. The code that the researchers examined and found to be impacted by the vulnerabilities existed since at least the Office 2003 release launched in August 2003.
“To our knowledge, this component has not received too much attention from the security community until now, making it a fertile ground for bugs,” the Check Point Research noted in a blog post.
The researchers used the “fuzzing” technique to exploit the vulnerabilities using automated software. By using the technique, it was found that most of the Microsoft Office products were vulnerable to attacks using malicious code. This could be delivered to users through a specially crafted Word document in .docx format, Outlook Email in .eml, or an Excel spreadsheet in the .xls format.
“We learned that the vulnerabilities are due to parsing mistakes made in legacy code,” said Yaniv Balmas, Head of Cyber Research at Check Point Software, in a prepared statement. One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office.”
The researchers noted that there could be multiple attack vectors, and the simplest one would be when a victim downloads a malicious .xls file.
Check Point Research said that it disclosed the four vulnerabilities to Microsoft on February 28. Three of these that are classified as CVE-2021-31174, CVE-2021-31178, and CVE-2021-31179 were patched by the software giant on May 11, whereas the last one that is identified as CVE-2021-31939 was fixed on Tuesday.
The researchers at Check Point Research believe that while Microsoft has fixed the four vulnerabilities, there could be some others that may impact users. It is, therefore, recommended to install the latest Microsoft Office suite. Windows 10 users can specifically install the update by going to Settings > Update & security > Windows Update.