Israel researchers find four security flaws in Microsoft Office software

Check Point Software Technologies says vulnerability in graph-making tool is part of legacy code and has been around for years; urge users to update software to fix

Shoshanna Solomon is The Times of Israel's Startups and Business reporter

Illustrative. A hacker breaking into a computer. (gorodenkoff via iStockPhoto)
Illustrative. A hacker breaking into a computer. (gorodenkoff via iStockPhoto)

Cybersecurity researchers at Check Point Software Technologies Ltd. said they have identified four vulnerabilities in the Microsoft Office software suite, including Excel and Office.

If exploited, the vulnerabilities would enable hackers to inject malicious code into Office documents, such as Word, Excel and Outlook, and send them to unwitting targets.

The vulnerabilities could allow hackers to take control of computers, start a ransomware attack, access data and read files, the researchers said.

The source of the weaknesses stem from coding mistakes in a graph-making feature called MSGraph that has been in use in the Office software package since 1995. This leads the researchers to believe that the security flaws have been around “for several years,” Check Point said in a statement.

Hackers could use the vulnerability within that graph-making tool to send victims a file that includes the malicious graph. Once that file is downloaded and opened, the vulnerability is triggered.

The researchers urge users of Windows software to update as soon as possible. They have informed Microsoft of the vulnerability and the issues have been now fixed, Check Point Software said.

“The vulnerabilities found affect almost the entire Microsoft Office ecosystem. It’s possible to execute such an attack on almost any Office software, including Word, Outlook and others,” said Yaniv Balmas, the head of cyber research at Check Point Software.

“We learned that the vulnerabilities are due to parsing mistakes made in legacy code. One of the primary learnings from our research is that legacy code continues to be a weak link in the security chain, especially in complex software like Microsoft Office. Even though we found only four vulnerabilities on the attack surface in our research, one can never tell how many more vulnerabilities like these are still lying around waiting to be found. I strongly urge Windows users to update their software immediately, as there are numerous attack vectors possible by an attacker who triggers the vulnerabilities that we found.”

Microsoft Office is commonly used software that can be found in almost any standard desktop.

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed