A vulnerability in Microsoft Office allowed documents with embedded ActiveX controls to leak user information, including sensitive information like passwords.
The flaw was discovered by Israel-based company Mimecast in November, and according to a timeline published by the firm, it was reported to Microsoft on November 6. The software giant managed to reproduce the issue two days later and on December 12 it confirmed a fix would be shipped in January.
In an analysis of the vulnerability, Mimecast explains it discovered that Microsoft Office files that included ActiveX controls were causing memory leaks after investigating what originally seemed like a false positive.
Patches already available
After further inspection of the bug, Mimecast came to the conclusion that the MSO.DLL file improperly discloses the content of its process memory, which essentially gives a malicious actor the possibility of obtaining information that can be then used for compromising the system or accessing sensitive data like passwords.
“This memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information. If known, this is the type of data could be useful to cybercriminals for executing a malware-enabled, remote execution attack and at least as important—to steal sensitive information,” Matthew Gardiner, Director of Product Marketing, explained.
Microsoft confirmed the vulnerability and detailed it in CVE-2019-0560. According to the company, it affects Office 2010, Office 2013, Office 2016, and Office 2019, as well as Office 365 ProPlus. Patches have already been released for all these products, and they were offered an Important severity rating.
“To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created,” Microsoft explains.
Installing the January 2019 security updates resolves the vulnerability and keeps devices protected against any potential exploit.