A vulnerability affecting Microsoft Graph, along with three other bugs, has been newly detected in the Microsoft Office Suite that will be patched today by the software giant.
Microsoft Office Vulnerabilities:
According to the latest Check Point Research, successful exploitation of the vulnerability could result in malicious code execution on a targeted system.
What makes the vulnerability even more critical is that since the component can be embedded in most, a malicious entity can use it to deliver a malicious payload without having the indeed for special functions.
The Microsoft Graph security vulnerability, tracked as CVE-2021-31939, is a part of a bigger set of vulnerabilities that were detected in Microsoft Office and was reported to the software giant by Check Point Research.
It is provided that the vulnerability-focused research is attributed to the fact that the security flaws include ode that is at least 17 years old and has an attack exterior sharing resemblance with Microsoft Equation Editor, which is reported to have fixed bugs since 2017 and are still being heavily exploited.
The security research regarding the Microsoft Graph vulnerability is lacking, to say the least, however, it has been described as a UAF (use-after-free) vulnerability.
Such a security flaw occurs due to incorrect use of dynamic memory during program operation and can lead to arbitrary code execution.
Other security flaws found:
According to the researchers, the issue is in a Microsoft Graph file parsing function, which “is commonly used across multiple different Microsoft Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE) and Excel for OSX.”
The other security vulnerabilities found by the check Point research includes the following ones:
- CVE-2021-31174 – out-of-bounds read (OOBR) vulnerability leading to information disclosure in Microsoft Excel (medium severity); affects MSGraph, Office Online, and Microsoft Excel
- CVE-2021-31178 – integer underflow to out-of-bounds read (OOBR) vulnerability leading to information disclosure (medium severity)
- CVE-2021-31179 – memory corruption vulnerability leading to remote code execution (high severity)
The research has provided that these malicious actors can run malicious code on targeted systems using malicious Office documents, designed to exploit these vulnerabilities.
“Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook, and others” reports Chel Point.
Out of these four, CVE-2021-31939 will be receiving a patch today.