4 issues in Microsoft Office component allow weaponizing docs

Pierluigi Paganini June 08, 2021

Experts found four security flaws in the Microsoft Office suite that cloud allow attackers to weaponize Word and Excel docs.

Experts from Check Point discovered four security vulnerabilities in the Microsoft Office suite that an attacker could exploit to craft weaponized Word and Excel documents.

Below the list of flaws discovered by the experts:

The CVE-2021-31174, CVE-2021-31178, CVE-2021-31179 vulnerabilities have been addressed by Microsoft as part of its Patch Tuesday update for May 2021, while the CVE-2021-31939 flaw is expected to be fixed in June.

The experts used fuzzing techniques to test the MSGraph COM component (MSGraph.Chart.8, GRAPH.EXE), a component that was included in the suite since Office 2003 or earlier.

MSGraph can be embedded in many products of the Microsoft Office suite, including Word, Outlook, PowerPoint to display graphs and charts. Experts pointed out that flaws in the

“In terms of attack surface, MSGraph is quite similar to Microsoft Equation Editor 3.0. However, unlike Microsoft Equation Editor, MSGraph is still updated in every Office patch and receives the latest mitigations (such as ASLR and DEP), which makes successful exploitation harder.” reads the post published by Check Point. “We later found that this attack surface also applies to other Microsoft Office products, including Excel and Office Online, that share the same code.”

Experts also discovered that the vulnerable function is commonly used across multiple different MS Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE) and Excel for OSX. The researchers were able to successfully reproduce some of the flaws in these products.

“Even though we researched a single component of Microsoft Office, we managed to find several vulnerabilities that affect multiple products in this ecosystem. The results of this research were a set of files that could be embedded in different ways to potentially exploit different Office products across multiple platforms.” concludes the report. “As a bonus, we also had the opportunity to experiment with multiple different fuzzing solutions. We hope you find our notes useful.”

Below the disclosure timeline for these vulnerabilities:

  • 28 Feb 2021 – Initial report to Microsoft.
  • 11 May 2021 – Microsoft fixes CVE-2021-31174, CVE-2021-31178, CVE-2021-31179 (Patch Tuesday)
  • 08 Jun 2021 – Microsoft fixes CVE-2021-31939 (Patch Tuesday)
  • 08 Jun 2021 – Blog release

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MS Office)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment