Skip to main content

Microsoft Office security flaw lets hackers infiltrate your PC — what to do

Microsoft Office
(Image credit: Microsoft)

Microsoft Office, a widely used suite of productivity applications, had a security flaw lurking within its legacy code that lets hackers compromise your PC. Check Point Research (CPR), a cybersecurity firm, discovered the bug; they suspect that the vulnerability existed for years.

Before you ditch your Excel and Word apps, you should know that the security hole's already been plugged. CPR disclosed its security-flaw findings to Microsoft, and the Redmond-based tech giant issued fixes to patch the vulnerability.

Security flaw discovered within Microsoft Office legacy code

Parsing mistakes are the culprit behind the security flaw, according to the CPR report. The blunder was discovered within legacy code found in Excel95 File Formats, which is why CPR investigators speculate that the vulnerability existed for several years.

Microsoft Office

Microsoft Office (Image credit: Microsoft)

If attackers choose to exploit this vulnerability, they could execute code targets via malicious Office documents, such as Word (.DOCX), Excel (.EXE) and Outlook (.EML). 

“The vulnerabilities found affect almost the entire Microsoft Office ecosystem. It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others," Yaniv Balmas, Head of Cyber Research at Check Point Software, said in a statement.

Balmas added that one of the most important takeaways of CPR's Microsoft Office investigation is that legacy code continues to be a weak link in the security chain, especially for complex software platforms like Microsoft Office.

CPR investigators revealed that they discovered the vulnerability by "fuzzing" Microsoft Graph (MSGraph), a component found in Microsoft Office products that render graphs and charts. Fuzzing, according to CPR, is an "automated software testing technique that attempts to find hackable software bugs." This tactic randomly feeds invalid data inputs into a computer program to find coding errors and security flaws.

Though the security vulnerability was found within Excel95 File Formats, CPR noted that the entire Office suite supports Excel objects, which makes it possible for hackers to execute attacks on Word, Outlook and other apps.

Microsoft issued a fix for the security flaw

Thanks to CPR's report, Microsoft patched the security flaw, issuing CVE-2021-31174, CVE-2021-31178, CVE-2021-31179, and CVE-2021-31939.

Balmas said that CPR investigators only found four vulnerabilities during their research, but who knows what other flaws could be lurking in Microsoft Office?

"I strongly urge Windows users to update their software immediately, as there are numerous attack vectors possible by an attacker who triggers the vulnerabilities that we found," Balmas said.

To update your PC, click on the Start button and navigate to Settings > Update & security > Windows Update. Click "Check for Updates."