Security Updates for Microsoft Office Products (February 2019)

high Nessus Plugin ID 122132
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7

Synopsis

The Microsoft Office Products are affected by multiple vulnerabilities.

Description

The Microsoft Office Products are missing security updates. They are, therefore, affected by multiple vulnerabilities:

- A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. (CVE-2019-0538, CVE-2019-0582)

- A security feature bypass vulnerability exists when Microsoft Office does not validate URLs. An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials. An attacker who successfully exploited this vulnerability could perform a phishing attack. (CVE-2019-0540)

- An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user's computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created.
(CVE-2019-0669)

- A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. (CVE-2019-0671, CVE-2019-0672, CVE-2019-0673, CVE-2019-0674, CVE-2019-0675)

Solution

Microsoft has released the following security updates to address this issue:
-KB4018294
-KB4018300
-KB4018313
-KB4462138
-KB4462146
-KB4462174
-KB4462177

For Office 365, Office 2016 C2R, or Office 2019, ensure automatic updates are enabled or open any office app and manually perform an update.

See Also

http://www.nessus.org/u?ad02bd63

http://www.nessus.org/u?45c067f4

http://www.nessus.org/u?1adac12b

http://www.nessus.org/u?1f96f114

http://www.nessus.org/u?80eba161

http://www.nessus.org/u?995b2a7e

http://www.nessus.org/u?9fd278c9

http://www.nessus.org/u?c6fc9b1b

http://www.nessus.org/u?42ab6861

http://www.nessus.org/u?7b126882

Plugin Details

Severity: High

ID: 122132

File Name: smb_nt_ms19_feb_office.nasl

Version: 1.10

Type: local

Agent: windows

Published: 2/12/2019

Updated: 1/30/2020

Dependencies: office_installed.nasl, smb_hotfixes.nasl, ms_bulletin_checks_possible.nasl

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS Score Source: CVE-2019-0675

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:office

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 2/12/2019

Vulnerability Publication Date: 2/12/2019

Reference Information

CVE: CVE-2019-0538, CVE-2019-0540, CVE-2019-0582, CVE-2019-0669, CVE-2019-0671, CVE-2019-0672, CVE-2019-0673, CVE-2019-0674, CVE-2019-0675

BID: 106419, 106433

MSKB: 4018294, 4018300, 4018313, 4462138, 4462146, 4462174, 4462177

MSFT: MS19-4018294, MS19-4018300, MS19-4018313, MS19-4462138, MS19-4462146, MS19-4462174, MS19-4462177