Microsoft Excel Remote Code Execution Vulnerability (CVE-2019-1297) Threat Alert

Microsoft Excel Remote Code Execution Vulnerability (CVE-2019-1297) Threat Alert

October 4, 2019 | Mina Hao

Overview

Microsoft released security updates for September that address a remote code execution vulnerability (CVE-2019-1297) in Microsoft Excel.

This vulnerability exists in Microsoft Excel when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged in with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Exploitation of this vulnerability requires that a user open a crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit this vulnerability by sending the crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website containing a crafted file designed to exploit the vulnerability.

Technical details about this vulnerability have not been disclosed temporarily. Since Excel is a widely used spreadsheet file format, users are advised to download and install patches as soon as possible to prevent the preceding risks.

Reference:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1297

Affected Versions

  • Microsoft Excel 2010 Service Pack 2 (32-bit editions)
  • Microsoft Excel 2010 Service Pack 2 (64-bit editions)
  • Microsoft Excel 2013 Service Pack 1 (32-bit editions)
  • Microsoft Excel 2013 Service Pack 1 (64-bit editions)
  • Microsoft Excel 2013 RT Service Pack 1
  • Microsoft Office 2016 for Mac
  • Microsoft Excel 2016 (32-bit edition)
  • Microsoft Excel 2016 (64-bit edition)
  • Microsoft Office 2019 for 32-bit editions
  • Microsoft Office 2019 for 64-bit editions
  • Microsoft Office 2019 for Mac
  • Office 365 ProPlus for 32-bit Systems
  • Office 365 ProPlus for 64-bit Systems

Solution

Microsoft has released security updates for all affected products (including versions for which official support is no longer available) to fix these vulnerabilities. Users are advised to download and install them as soon as possible. There are three methods to obtain and install patches: intranet WSUS, Microsoft Update service available on Microsoft’s official website, and offline installation.

Note: To immediately start Windows Update, users can type wuauclt.exe /detectnow at the command line prompt.

Method 1: intranet WSUS

Applicability: This method is applicable to computers that are in the Active Directory domain where the WSUS server is available, or computers that have access to the intranet WSUS service.

The system automatically downloads new security patches in a regular manner and prompts users to install them. What users need to do is install these patches as prompted.

To make a patch take effect immediately, users can restart their computers as soon as the installation is complete.

Method 2: Microsoft Update service available on Microsoft’s official website

Applicability: This method is applicable to computers that can connect to the Internet, but have no access to the intranet WSUS service, including those with the intranet WSUS service disabled and those that have this service enabled, but have no access to the intranet.

If the intranet WSUS service is not enabled on computers, users should first enable it and then install patches and restart the computer as prompted.

If computers have the intranet WSUS service enabled, but do not connect to the intranet, users should do as follows: Choose Start > All Programs > Windows Update, click Check online for updates from Microsoft Update, and then do as prompted.

Method 3: offline installation

With this method, users need to first download the latest patch for the current system, and then double-click the installation package to install it. For download links, see appendix A.

Appendix A Official Patch Download Link

Product KB Article
Microsoft Excel 2010 Service Pack 2 (32-bit editions) 4475574 Security Update
Microsoft Excel 2010 Service Pack 2 (64-bit editions) 4475574 Security Update
Microsoft Excel 2013 Service Pack 1 (32-bit editions) 4475566 Security Update
Microsoft Excel 2013 Service Pack 1 (64-bit editions) 4475566 Security Update
Microsoft Excel 2013 RT Service Pack 1 4475566 Security Update
Microsoft Office 2016 for Mac Release Notes Security Update
Microsoft Excel 2016 (32-bit edition) 4475579 Security Update
Microsoft Excel 2016 (64-bit edition) 4475579 Security Update
Microsoft Office 2019 for 32-bit editions Click to Run Security Update
Microsoft Office 2019 for 64-bit editions Click to Run Security Update
Microsoft Office 2019 for Mac Release Notes Security Update
Office 365 ProPlus for 32-bit Systems Click to Run Security Update
Office 365 ProPlus for 64-bit Systems Click to Run Security Update

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.