Vulnerability

CERT-In Vulnerability Note CIVN-2019-0196
Multiple Vulnerabilities in Microsoft Office

Original Issue Date:December 12, 2019

Severity Rating: HIGH

Software Affected

Microsoft Office 2019 for 32-bit and 64-bit
Office 365 ProPlus for 32-bit and 64-bit
Microsoft Office 2016 32-bit and 64-bit
Microsoft Office 2010 Service Pack 2 32-bit and 64-bit
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 32-bit and 64-bit
Microsoft Word 2016 32-bit and 64-bit
Microsoft Word 2010 Service Pack 2 32-bit and 64-bit
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 32-bit and 64-bit
Microsoft Office 2019 for Mac
Microsoft PowerPoint 2013 Service Pack 1 32-bit and 64-bit
Microsoft PowerPoint 2013 RT Service Pack 1
Microsoft PowerPoint 2016 32-bit and 64-bit
Microsoft Office 2016 for Mac
Microsoft PowerPoint 2010 Service Pack 2 32-bit and 64-bit
Microsoft Excel 2016 32-bit and 64-bit
Microsoft Excel 2010 Service Pack 2 32-bit and 64-bit
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 32-bit and 64-bit

Overview

Multiple vulnerabilities have been reported in Microsoft Office software, which could allow a remote attacker to obtain sensitive information or execute arbitrary code on a targeted system.

Description

1. Microsoft Access Information Disclosure Vulnerabilities ( CVE-2019-1400   CVE-2019-1463   )

These vulnerabilitiesexist in Microsoft Access due to improper handling of objects in memory. A remote attacker could exploit these vulnerabilities by convincing a user to run a specially crafted application.
Successful exploitation of these vulnerabilities could allow the attacker to obtain sensitive information that could be used for further exploitation.

2. Microsoft Word Remote Code Execution Vulnerability ( CVE-2019-1461   )

This vulnerability exists in Microsoft Word due to improper handling of objects in memory. A remote attacker could exploit this vulnerability by convincing a user to open a specially crafted file.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system in the context of the current user.

3. Microsoft PowerPoint Remote Code Execution Vulnerability ( CVE-2019-1462   )

This vulnerability exists in Microsoft PowerPoint due to improper handling of objects in memory. A remote attacker could exploit this vulnerability by convincing a user to open a specially crafted file.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system in the context of the current user.

4. Microsoft Excel Information Disclosure Vulnerability ( CVE-2019-1464   )

This vulnerability exists in Microsoft Excel due to improper disclosure of memory contents. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted file.
Successful exploitation of these vulnerabilities could allow the attacker to obtain sensitive information on the targeted system.

Solution

Apply appropriate fixes as mentioned in Microsoft Security Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance

Vendor Information

Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1400
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1461
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1462
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1463
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1464

References

CVE Name
CVE-2019-1400
CVE-2019-1463
CVE-2019-1461
CVE-2019-1462
CVE-2019-1464

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India