Synopsis
The Microsoft Office Products are affected by multiple vulnerabilities.
Description
The Microsoft Office Products are missing security updates. They are, therefore, affected by multiple vulnerabilities:
- A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. (CVE-2019-0538, CVE-2019-0582)
- A security feature bypass vulnerability exists when Microsoft Office does not validate URLs. An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials. An attacker who successfully exploited this vulnerability could perform a phishing attack. (CVE-2019-0540)
- An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user's computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created.
(CVE-2019-0669)
- A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. (CVE-2019-0671, CVE-2019-0672, CVE-2019-0673, CVE-2019-0674, CVE-2019-0675)
Solution
Microsoft has released the following security updates to address this issue:
-KB4018294
-KB4018300
-KB4018313
-KB4462138
-KB4462146
-KB4462174
-KB4462177
For Office 365, Office 2016 C2R, or Office 2019, ensure automatic updates are enabled or open any office app and manually perform an update.
Plugin Details
File Name: smb_nt_ms19_feb_office.nasl
Agent: windows
Supported Sensors: Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:microsoft:office
Required KB Items: SMB/MS_Bulletin_Checks/Possible
Exploit Ease: No known exploits are available
Patch Publication Date: 2/12/2019
Vulnerability Publication Date: 2/12/2019
Reference Information
CVE: CVE-2019-0538, CVE-2019-0540, CVE-2019-0582, CVE-2019-0669, CVE-2019-0671, CVE-2019-0672, CVE-2019-0673, CVE-2019-0674, CVE-2019-0675
BID: 106419, 106433
MSFT: MS19-4018294, MS19-4018300, MS19-4018313, MS19-4462138, MS19-4462146, MS19-4462174, MS19-4462177
MSKB: 4018294, 4018300, 4018313, 4462138, 4462146, 4462174, 4462177