CVE-2020-1224: Microsoft Excel Information Disclosure Vulnerability

Overview

Severity: Medium (CVSS 5.5)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Category: Information Disclosure
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2020-Sep
Released: 2020-09-08
Last Updated: 2020-09-16
EPSS Score: 25.02% (percentile: 96.2%)

Description

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created. The update addresses the vulnerability by changing the way certain Excel functions handle objects in memory.

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Are the updates for the Microsoft Office for Mac currently available? The security update for Microsoft Office 2016 for Mac and Microsoft Office 2019 for Mac are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

Affected Products (16)

Other

11099
11573
11574
11575
11605
11762
11763
10739
10740
10734
10489
10490
10656
10654
10655
10608

Security Updates (10)

Acknowledgments

Jinquan(@jq0904) of DBAPPSecurity Co., Ltd

Revision History

2020-09-08: Information published.
2020-09-16: Microsoft is announcing the availability of the security updates for Microsoft Office for Mac. Customers running affected Mac software should install the update for their product to be protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action. See the Release Notes for more information and download links.