Microsoft Office is the most commonly used suite of applications that contains a word processor, spreadsheet, and presentation software combined. This was one of the first applications that gained popularity and helped users to make a shift from manual documents to digitalization. However, Check Point Research (CPR) which is a cybersecurity firm has recently discovered a bug that is suspected to have been lurking around for years.
This flaw was informed to Microsoft immediately and an update was released soon thereafter to patch this vulnerability. This update has been rolled out to all Microsoft users with immediate effect making MS Word, MS Excel, MS Powerpoint, and MS Outlook safe to use. This flaw or blunder as CPR report calls it was a risk found within the legacy code of Excel95 File Formats. This format is an old one which means that the security flaw has been there for a very long time. The parsing mistakes are to be blamed as they could have allowed people with malicious intent to infiltrate systems with Microsoft Office installed.
CPR reports further stated that this vulnerability (now fixed with update) can be exploited to execute code targets through the MS Office apps and files such as Outlook (.EML), Word (.DOCX), and Excel (.EXE) among others. The vulnerabilities affected the entire Microsoft Office ecosystem old and new alike as confirmed by Yaniv Balmas, Head of Cyber Research at Check Point Software. He also explained about the legacy code acting as a weak link in the security chain of Microsoft Office.
This flaw was discovered in Microsoft Office when CPR was trying to test Microsoft Graph, an MS Office module that allows users to design designs and charts. The process used on MS Graph by CPR was called Fuzzing, which is an automated software testing technique that identifies software bugs in any application. The idea behind fuzzing is simple as the tester has only to input invalid data and check how the app reacts to this data and record the coding errors and security flaws.
The vulnerability was found on Excel 95 file formats, which is an old format and not used nowadays but as it is supported by all applications in MS Office, it makes all the remaining apps vulnerable to a hacker attack. CPR has found only four flaws until now which have been reported to Microsoft and is continuing its search for other flaws within Microsoft Office.
Microsoft was quick to respond to the report highlighted by CPR and patches to this flaw were issued by rolling out updates CVE-2021-31174, CVE-2021-31178, CVE-2021-31179, and CVE-2021-31939. If you wish to update your PC then follow these steps:
Step 1: Press Windows + I to open the Settings window.
Step 2: Click on Update & Settings.
Step 3: Click on Check For Updates and if the updates have been rolled out to your region, they will install automatically.