The Microsoft Office Products are missing security updates. They are, therefore, affected by multiple vulnerabilities:

  - An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having     non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with     invalid display names, which, when added to conversations, remain invisible. (CVE-2019-1084)

  - A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making     a request to Office documents. An attacker who successfully exploited this vulnerability could read or write     information in Office documents. (CVE-2019-1109)

  - A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle     objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context     of the current user. If the current user is logged on with administrative user rights, an attacker could take     control of the affected system. An attacker could then install programs; view, change, or delete data; or create     new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system     could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability     requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack     scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and     convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage     a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to     exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker     would have to convince users to click a link, typically by way of an enticement in an email or instant message, and     then convince them to open the specially crafted file.(CVE-2019-1111)    

  - An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory.
    An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data.
    To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it.
    An attacker must know the memory address location where the object was created. (CVE-2019-1112)     The update addresses the vulnerability by changing the way certain Excel functions handle objects in memory.

Detections

Analytics

Security Updates for Microsoft Office Products C2R (July 2019)

critical Nessus Plugin ID 162078

Version 1.11

Version 1.10

Version 1.11 Oct 20, 2023, 5:46 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202310201746
Version 1.10 Oct 20, 2023, 3:51 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202310201551