CVE-2020-1581: Microsoft Office Click-to-Run Elevation of Privilege Vulnerability

Overview

Severity

N/A

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Aug

Released

2020-08-11

EPSS Score

9.68% (percentile: 92.9%)

Description

An elevation of privilege vulnerability exists in the way that Microsoft Office Click-to-Run (C2R) components handle objects in memory. An attacker who successfully exploited the vulnerability could elevate privileges. The attacker would need to already have the ability to execute code on the system. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how Microsoft Office Click-to-Run (C2R) components handle objects in memory.

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (6)

Microsoft Office

• Microsoft Office 2013 Click-to-Run (C2R) for 32-bit editions
• Microsoft Office 2013 Click-to-Run (C2R) for 64-bit editions
• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems

Acknowledgments

hackyzh and lm0963 of DBAppSecurity Zion Lab working with <a href="https://www.zerodayinitiative.com/">Trend Micro's Zero Day Initiative</a>

Revision History

• 2020-08-11: Information published.