Vulnerabilities in Microsoft Office apps are now becoming something of a routine. We have previously reported instanced where potential hackers could exploit Microsoft Word, PowerPoint amongst other products. This time, researchers have discovered a problem that affects the entire MS Office suite. Reportedly, they found a Microsoft Office vulnerability that could leak sensitive information to hackers.
New Microsoft Office Vulnerability Could Expose Sensitive Data
Researchers from the Mimecast Research Labs have disclosed their findings regarding a Microsoft Office vulnerability. As revealed, exploiting this vulnerability could allow an attacker to gain access to sensitive information. Moreover, the bug could also expose previously created Office files.
The researchers have shared the details of their discovery in a blog post. Explaining about the vulnerability, they state,
“Microsoft Office product had a memory leak… this memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information.”
Allegedly, the vulnerability affected all of the Microsoft Office Suite leaking sensitive data within the Office files. Upon examining the suspicious files received from the customers, Mimecast researchers found machine executable code in the files. Then, further investigations revealed that the vulnerability existed in all MS Office files with ActiveX controls.
According to Mimecast, the vulnerability seems reminiscent of the already known Heartbleed vulnerability discovered in 2014. The researchers state that they could find the presence of this vulnerability in files “dating years back”. It means that the flaw has already affected millions of users around the world.
Microsoft Released A Fix
The researchers reported the vulnerability to Microsoft on November 6, 2018. The next day, Microsoft began working out on the matter. Eventually, they has released a patch for this flaw with the January 2019 patch Tuesday updates. Describing the vulnerability in their advisory, Microsoft stated,
“An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created.”
The vulnerability has received the CVE number CVE-2019-0560 and has been considered “important” by Microsoft.
Fortunately, Mimecast confirmed that no active exploitations of this bug in wild actually exist. While Microsoft has patched the flaw, the researchers fear that the previously created Office files available on the internet still remain exploitable. Hence, they recommend everyone to remove such files and/or resave them with the patched MS Office versions.