KLA49155 Multiple vulnerabilities in Microsoft Office

Multiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, obtain sensitive information, spoof user interface, bypass security restrictions.

Below is a complete list of vulnerabilities:

1. A remote code execution vulnerability in Microsoft Office can be exploited remotely to execute arbitrary code.
2. A remote code execution vulnerability in Microsoft SharePoint Server can be exploited remotely to execute arbitrary code.
3. A denial of service vulnerability in Microsoft Access can be exploited remotely to cause denial of service.
4. An information disclosure vulnerability in Microsoft Teams can be exploited remotely to obtain sensitive information.
5. A remote code execution vulnerability in Microsoft Excel can be exploited remotely to execute arbitrary code.
6. A spoofing vulnerability in Microsoft SharePoint Server can be exploited remotely to spoof user interface.
7. An information disclosure vulnerability in Microsoft SharePoint Server can be exploited remotely to obtain sensitive information.
8. A security feature bypass vulnerability in Microsoft Word can be exploited remotely to bypass security restrictions.

Original advisories

CVE-2023-29344

CVE-2023-24955

CVE-2023-29333

CVE-2023-24881

CVE-2023-24953

CVE-2023-24950

CVE-2023-24954

CVE-2023-29335

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Microsoft-Office

Microsoft-Excel

Microsoft-Word

Microsoft-SharePoint

CVE list

CVE-2023-29344 critical

CVE-2023-24955 high

CVE-2023-29333 warning

CVE-2023-24881 high

CVE-2023-24953 critical

CVE-2023-24950 high

CVE-2023-24954 high

CVE-2023-29335 critical

KB list

5002372

5002369

5002397

5002386

5002365

5002389

5002390

5002384

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update component usually can be accessed from the Control Panel) and updates from the Update Options section, that are listed in your Office Account (Office Account tab usually can be accessed from the File menu)

Install Office updates

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Excel 2013 Service Pack 1 (64-bit editions)Microsoft Excel 2016 (64-bit edition)Microsoft Office Online ServerMicrosoft TeamsMicrosoft Word 2013 Service Pack 1 (64-bit editions)Microsoft Office 2019 for 64-bit editionsMicrosoft Word 2016 (64-bit edition)Microsoft Office LTSC for Mac 2021Microsoft 365 Apps for Enterprise for 32-bit SystemsMicrosoft Word 2013 RT Service Pack 1Microsoft Excel 2013 RT Service Pack 1Microsoft Office LTSC 2021 for 64-bit editionsMicrosoft Office 2019 for MacMicrosoft Office LTSC 2021 for 32-bit editionsMicrosoft SharePoint Server Subscription EditionMicrosoft Excel 2016 (32-bit edition)Microsoft Excel 2013 Service Pack 1 (32-bit editions)Microsoft Office 2019 for 32-bit editionsMicrosoft Word 2016 (32-bit edition)Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019Microsoft 365 Apps for Enterprise for 64-bit SystemsMicrosoft Word 2013 Service Pack 1 (32-bit editions)