Microsoft has addressed critical remote code execution vulnerabilities in multiple SharePoint versions with this month’s Office security updates.
In total, this month the company released 23 security updates and 5 cumulative updates for 7 different products, fixing 9 vulnerabilities that could allow attackers to execute arbitrary code remotely on vulnerable systems.
The highlights of this month’s Microsoft Office security updates are without a doubt the two RCE security bugs affecting Microsoft SharePoint.
While the first one tracked as CVE-2020-17121 requires attackers to have basic user privileges for exploitation, the second one tracked as CVE-2020-17118 can be exploited remotely without authentication.
For successfully exploiting CVE-2020-17118 in low complexity attacks, attackers are also required to trick targets into opening maliciously crafted Office files.
Based on the information provided by Microsoft in the security advisory, CVE-2020-17118 proof-of-concept exploit code is also available (although probably shared privately) —
The bug was discovered by Jonathan Birch, a Senior Security Software Engineer with the Microsoft Office Security Team and it affects Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Foundation 2010 Service Pack 2.
“The code or technique is not functional in all situations and may require substantial modification by a skilled attacker,” Microsoft explains.
Microsoft Office security issues addressed in this month
Security updates published as part of the December 2020 Patch Tuesday address bugs that could allow remote code execution (RCE) on Windows systems running vulnerable Click to Run and Microsoft Installer (.msi)-based editions of Microsoft Office products.
The 9 RCE bugs patched this month are rated by Microsoft as Critical or Important severity issues as they may allow attackers to execute arbitrary code in the context of the current user after successful exploitation.
The attackers could then install malicious programs, view, change, and delete data, as well as create rogue admin accounts on the compromised Windows devices.
More details about each of them including CVE IDs are available within the knowledge base articles linked below.
To download the December 2020 Microsoft Office security updates, click on the corresponding knowledge base article below and then scroll down to the ‘How to download and install the update‘ section.
