Microsoft Office January Security Updates Fix Code Execution Bugs

Posted by & filed under Security News.

Microsoft released the January 2019 Office security updates, bundling a total of seven security updates and three cumulative updates for five different products, six of them patching flaws allowing remote code execution.

Redmond also released the January 2020 Patch Tuesday security updates, with security updates for 49 vulnerabilities, seven of them being classified as Critical and 41 as Important.

Unlike previous Patch Tuesday releases, Microsoft did not publicly disclose any vulnerabilities found to be actively exploited in the wild.

To download Microsoft Office security updates on your device, you have to click on the corresponding Knowledge Base article in the table below and then scroll down to the “How to download and install the update” section to grab the update packages for each product.

Patched Microsoft Office vulnerabilities

Out of the seven security updates released by Microsoft for several Office products, six patch remote code execution (RCE) bugs detailed in the CVE-2020-0650CVE-2020-0651, and CVE-2020-0652 security advisories, and impacting Office 2016, Office 2013, Office 2010, Excel 2016, Excel 2013, and Excel 2010.

The RCE security vulnerabilities patched today received a severity rating of ‘Important’ from Microsoft given that they could allow potential attackers to execute arbitrary code and/or commands after successfully exploiting vulnerable Windows devices.

Attackers could then install programs, view, change, and delete data, or create new accounts with full user rights on the compromised computers.

The other security update tracked as CVE-2020-0647 is a Microsoft Office Online spoofing vulnerability impacting Office Online Server and is caused by incorrect validation of origin in cross-origin communications.

“The attacker who successfully exploited the vulnerability could then perform cross-origin attacks on affected systems,” Microsoft explains.

“These attacks could allow the attacker to read content that the attacker is not authorized to read, and use the victim’s identity to take actions on the site on behalf of the victim. The victim needs to be authenticated for an attacker to compromise the victim.”

January 2020 Microsoft Office security updates

The January Microsoft Office security updates are available via the Download Center and the Microsoft Update platform.

Additional info on each of them is available within the linked knowledge base articles.

Microsoft Office 2016

Product Knowledge Base article title and number
Excel 2016 Security update for Excel 2016: January 14, 2020 (KB4484217)
Office 2016 Security update for Office 2016: January 14, 2020 (KB4484221)

Microsoft Office 2013

Product Knowledge Base article title and number
Excel 2013 Security update for Excel 2013: January 14, 2020 (KB4484234)
Office 2013 Security update for Office 2013: January 14, 2020 (KB4484227)

Microsoft Office 2010

Product Knowledge Base article title and number
Excel 2010 Security update for Excel 2010: January 14, 2020 (KB4484243)
Office 2010 Security update for Office 2010: January 14, 2020 (KB4484236)

Microsoft SharePoint Server 2019

Product Knowledge Base article title and number
Office Online Server Security update for Office Online Server: January 14, 2020 (KB4484223)

Microsoft SharePoint Server 2013

Product Knowledge Base article title and number
Project Server 2013 January 14, 2020, cumulative update for Project Server 2013 (KB4484230)
SharePoint Enterprise Server 2013 January 14, 2020, cumulative update for SharePoint Enterprise Server 2013 (KB4484232)
SharePoint Foundation 2013 January 14, 2020, cumulative update for SharePoint Foundation 2013 (KB4484228)

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.