Researchers find four new vulnerabilities in Microsoft’s Office suite | #microsoft | #hacking | #cybersecurity


NEW DELHI :
Security researchers at Check Point Software have found four vulnerabilities in Microsoft’s Office suite, which includes the Excel and Office online apps. According to the company, the vulnerabilities can allow attackers to run malicious code on infected devices through Microsoft Office files, which includes MS Word, Excel and Outlook.

“The vulnerabilities are the result of parsing mistakes made in legacy code found in Excel95 file formats, giving researchers reason to believe that the security flaws have existed for several years,” the company said in a blog post. Since the vulnerabilities are embedded in Office documents, attackers can infect devices in multiple ways.

“One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software such as Microsoft Office. Even though we found only four vulnerabilities on the attack surface in our research, one can never tell how many more vulnerabilities such as these are still laying around waiting to be found,” said Yaniv Balmas, head of cyber research at Check Point Software.

According to Check Point, victims may download a malicious file in XLS format, which can be delivered to them through a download link or email. This is good news in a way, because it means attackers will only be able to infect a device if the user downloads and executes these files manually. “Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software,” the company added.

Check Point said that the vulnerabilities were disclosed to Microsoft before making them public and have been patched in the company’s latest updates. “Microsoft patched the security vulnerabilities, issuing CVE-2021-31174, CVE-2021-31178, CVE-2021-31179. The fourth patch will be issued on Microsoft’s Patch Tuesday on 8 June 2021, classified as CVE-2021-31939,” the company said in its blog post.

Subscribe to Mint Newsletters

* Enter a valid email

* Thank you for subscribing to our newsletter.

Never miss a story! Stay connected and informed with Mint.
Download
our App Now!!



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

+ seventy eight = 84