Microsoft Office security flaw lets hackers infiltrate your PC — what to do
Legacy code found in Microsoft Office is a security risk
Microsoft Office, a widely used suite of productivity applications, had a security flaw lurking within its legacy code that lets hackers compromise your PC. Check Point Research (CPR), a cybersecurity firm, discovered the bug; they suspect that the vulnerability existed for years.
Before you ditch your Excel and Word apps, you should know that the security hole's already been plugged. CPR disclosed its security-flaw findings to Microsoft, and the Redmond-based tech giant issued fixes to patch the vulnerability.
- Microsoft warns of 'massive' COVID-19 email phishing campaign
- Microsoft Edge bug wrecks YouTube when Adblock is enabled
- Best laptops of 2021
Security flaw discovered within Microsoft Office legacy code
Parsing mistakes are the culprit behind the security flaw, according to the CPR report. The blunder was discovered within legacy code found in Excel95 File Formats, which is why CPR investigators speculate that the vulnerability existed for several years.
If attackers choose to exploit this vulnerability, they could execute code targets via malicious Office documents, such as Word (.DOCX), Excel (.EXE) and Outlook (.EML).
“The vulnerabilities found affect almost the entire Microsoft Office ecosystem. It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others," Yaniv Balmas, Head of Cyber Research at Check Point Software, said in a statement.
Balmas added that one of the most important takeaways of CPR's Microsoft Office investigation is that legacy code continues to be a weak link in the security chain, especially for complex software platforms like Microsoft Office.
CPR investigators revealed that they discovered the vulnerability by "fuzzing" Microsoft Graph (MSGraph), a component found in Microsoft Office products that render graphs and charts. Fuzzing, according to CPR, is an "automated software testing technique that attempts to find hackable software bugs." This tactic randomly feeds invalid data inputs into a computer program to find coding errors and security flaws.
Stay in the know with Laptop Mag
Get our in-depth reviews, helpful tips, great deals, and the biggest news stories delivered to your inbox.
Though the security vulnerability was found within Excel95 File Formats, CPR noted that the entire Office suite supports Excel objects, which makes it possible for hackers to execute attacks on Word, Outlook and other apps.
Microsoft issued a fix for the security flaw
Thanks to CPR's report, Microsoft patched the security flaw, issuing CVE-2021-31174, CVE-2021-31178, CVE-2021-31179, and CVE-2021-31939.
Balmas said that CPR investigators only found four vulnerabilities during their research, but who knows what other flaws could be lurking in Microsoft Office?
"I strongly urge Windows users to update their software immediately, as there are numerous attack vectors possible by an attacker who triggers the vulnerabilities that we found," Balmas said.
To update your PC, click on the Start button and navigate to Settings > Update & security > Windows Update. Click "Check for Updates."
Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!