4 issues in Microsoft Office component allow weaponizing docs

Experts found four security flaws in the Microsoft Office suite that cloud allow attackers to weaponize Word and Excel docs.

Experts from Check Point discovered four security vulnerabilities in the Microsoft Office suite that an attacker could exploit to craft weaponized Word and Excel documents.

Below the list of flaws discovered by the experts:

CVE-2021-31179 – MS Office Remote Code Execution Vulnerability
CVE-2021-31174 – MS Excel Information Disclosure Vulnerability
CVE-2021-31178 – MS Office Information DisclosureChinese Vulnerability
CVE-2021-31939 – MS Office use-after-free vulnerability

The CVE-2021-31174, CVE-2021-31178, CVE-2021-31179 vulnerabilities have been addressed by Microsoft as part of its Patch Tuesday update for May 2021, while the CVE-2021-31939 flaw is expected to be fixed in June.

The experts used fuzzing techniques to test the MSGraph COM component (MSGraph.Chart.8, GRAPH.EXE), a component that was included in the suite since Office 2003 or earlier.

MSGraph can be embedded in many products of the Microsoft Office suite, including Word, Outlook, PowerPoint to display graphs and charts. Experts pointed out that flaws in the

“In terms of attack surface, MSGraph is quite similar to Microsoft Equation Editor 3.0. However, unlike Microsoft Equation Editor, MSGraph is still updated in every Office patch and receives the latest mitigations (such as ASLR and DEP), which makes successful exploitation harder.” reads the post published by Check Point. “We later found that this attack surface also applies to other Microsoft Office products, including Excel and Office Online, that share the same code.”

Experts also discovered that the vulnerable function is commonly used across multiple different MS Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE) and Excel for OSX. The researchers were able to successfully reproduce some of the flaws in these products.

“Even though we researched a single component of Microsoft Office, we managed to find several vulnerabilities that affect multiple products in this ecosystem. The results of this research were a set of files that could be embedded in different ways to potentially exploit different Office products across multiple platforms.” concludes the report. “As a bonus, we also had the opportunity to experiment with multiple different fuzzing solutions. We hope you find our notes useful.”

Below the disclosure timeline for these vulnerabilities:

28 Feb 2021 – Initial report to Microsoft.
11 May 2021 – Microsoft fixes CVE-2021-31174, CVE-2021-31178, CVE-2021-31179 (Patch Tuesday)
08 Jun 2021 – Microsoft fixes CVE-2021-31939 (Patch Tuesday)
08 Jun 2021 – Blog release

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MS Office)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.