Microsoft Office has been in the news for a number of vulnerabilities that have been recently discovered in this software

CVE-2023-38002

The two vulnerabilities in Microsoft Office were discovered by security researcher Paul Stone who claimed that the company was slow to react to these findings and followed a "disinterest" in fixing these concerns.

With all the recent news about vulnerabilities in Microsoft Office, it’s no wonder that many small businesses are deferring their plans for upgrading their software. But companies should not be so quick to let go of what could turn out to be an important investment. In fact, according to a report by cyber-security company NorthStar Information Security, a small business can expect real payback on its investments of up to $2 million over the next 12 years with just one upgrade cycle.

But before you go ahead with updating your software, there are some steps you should take first if you want your upgrade to be successful and effective. There are 5 things you need to consider when updating your office software:
1) What is your strategy?     2) How much will your upgrade cost you? 3) How long will it take? 4) What is the return on investment (ROI)? 5) Are there risks?

Microsoft Office CVE-2017-8759

Recently, a Microsoft Office vulnerability has been discovered which has been dubbed CVE-2017-8759. This vulnerability allows attackers to execute code on vulnerable systems.
Some of the characteristics of this vulnerability are that it affects all versions of Microsoft Office released before March 2017, and it affects all versions of Windows included in the Windows 10 Anniversary Update. The impact is that an attacker can execute code on an affected system via specially crafted documents or email messages.
This particular vulnerability can be mitigated by disabling the macro functionality in Microsoft Word 2016 for Mac, by configuring Word to require digital signing or verification for macros, and by enabling Enhanced DDE Protection in Microsoft Excel.
Finally, it’s important to note that this vulnerability does not affect other Office products like Outlook or SharePoint Server.

CVE-2022-38002

A vulnerability was found in the newest version of Microsoft Office
The latest vulnerability discovered in Microsoft Office is CVE-2022-38002. At the moment, there is no patch available for this vulnerability in any current version of Microsoft Office.
Microsoft has released a security bulletin that warns how to remove the vulnerability and instructs users to block incoming email containing the malicious payload.

MS Office CVEs and fixes - 20th July 2018

Here is a list of up to date Microsoft Office security patches and vulnerabilities from July 20th, 2018.
CVE-2018-8120 - This vulnerability allows users with physical or virtual administrative access to a machine to elevate their privileges on that machine without requiring any authentication.
CVE-2018-8124 - This vulnerability could allow an attacker who has fewer privileges than the targeted user to take control of the targeted account and spread malicious content to other accounts on the same device, and ultimately gain access to sensitive data.
CVE-2018-8127 - This vulnerability could allow an attacker who is not logged in as the target user but has a higher privilege level than the target user on that machine, such as an administrator, to take control of the targeted account without authorization.
CVE-2018-8129 - This vulnerability could allow an attacker who is not logged in as the target user but has a higher privilege level than the target user on that machine, such as an administrator, to take control of all accounts on that device.
CVE-2018-8130 - This vulnerability could allow an attacker who is not logged in as the target user but has a higher privilege level than the target user on that machine, such as an administrator, to force other users with administrator privileges off of their devices and view confidential information they would otherwise be unable to see.

Timeline

Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/12/2022 17:28:00 UTC

References