CVE-2020-0760: Microsoft Office Remote Code Execution Vulnerability

Overview

Severity

N/A

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Apr

Released

2020-04-14

EPSS Score

33.49% (percentile: 96.9%)

Description

A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document. The updates address the vulnerability by correcting how Office handles type libraries.

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (63)

Microsoft Office

• Microsoft Project 2013 Service Pack 1 (32-bit editions)
• Microsoft Project 2013 Service Pack 1 (64-bit editions)
• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Office 365 ProPlus for 32-bit Systems
• Office 365 ProPlus for 64-bit Systems
• Microsoft Excel 2016 (32-bit edition)
• Microsoft Excel 2016 (64-bit edition)
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)
• Microsoft PowerPoint 2016 (32-bit edition)
• Microsoft PowerPoint 2016 (64-bit edition)
• Microsoft Visio 2016 (32-bit edition)
• Microsoft Visio 2016 (64-bit edition)
• Microsoft Word 2016 (32-bit edition)
• Microsoft Word 2016 (64-bit edition)
• Microsoft Publisher 2016 (32-bit edition)
• Microsoft Publisher 2016 (64-bit edition)
• Microsoft Access 2016 (32-bit edition)
• Microsoft Access 2016 (64-bit edition)
• Microsoft Project 2016 (32-bit edition)
• Microsoft Project 2016 (64-bit edition)
• Microsoft Outlook 2016 (32-bit edition)
• Microsoft Outlook 2016 (64-bit edition)
• Microsoft Excel 2010 Service Pack 2 (32-bit editions)
• Microsoft Excel 2010 Service Pack 2 (64-bit editions)
• Microsoft Excel 2013 RT Service Pack 1
• Microsoft Excel 2013 Service Pack 1 (32-bit editions)
• Microsoft Excel 2013 Service Pack 1 (64-bit editions)
• Microsoft Office 2010 Service Pack 2 (32-bit editions)
• Microsoft Office 2010 Service Pack 2 (64-bit editions)
• Microsoft Office 2013 RT Service Pack 1
• Microsoft Office 2013 Service Pack 1 (32-bit editions)
• Microsoft Office 2013 Service Pack 1 (64-bit editions)
• Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions)
• Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions)
• Microsoft Project 2010 Service Pack 2 (32-bit editions)
• Microsoft Project 2010 Service Pack 2 (64-bit editions)
• Microsoft Visio 2010 Service Pack 2 (32-bit editions)
• Microsoft Visio 2010 Service Pack 2 (64-bit editions)
• Microsoft Word 2010 Service Pack 2 (32-bit editions)
• Microsoft Word 2010 Service Pack 2 (64-bit editions)
• Microsoft Word 2013 RT Service Pack 1
• Microsoft Word 2013 Service Pack 1 (32-bit editions)
• Microsoft Word 2013 Service Pack 1 (64-bit editions)
• Microsoft Visio 2013 Service Pack 1 (64-bit editions)
• Microsoft Publisher 2013 Service Pack 1 (32-bit editions)
• Microsoft Publisher 2013 Service Pack 1 (64-bit editions)
• Microsoft PowerPoint 2013 RT Service Pack 1
• Microsoft Access 2013 Service Pack 1 (64-bit editions)
• ... and 13 more

Security Updates (25)

• 4484125
• 4484273
• 3128012
• 4484214
• 4484246
• 4484244
• 4484300
• 4011097
• 4484167
• 4484269
• 4484274
• 4484285
• 3203462
• 4484126
• 4484235
• 4484132
• 4462225
• 4484295
• 4464544
• 3162033
• 4462210
• 4464527
• 4484281
• 4484284
• 4032216

Acknowledgments

<a href="https://www.twitter.com/stanhacked/">Stan Hegt</a> of <a href="https://www.outflank.nl/">Outflank</a>

Revision History

• 2020-04-14: Information published.