There is a current IT security warning for Microsoft Office. Here you can find out which vulnerabilities are involved, which products are affected and what you can do.
The Federal Office for Security in der Informationstechnik (BSI) published a security advisory for Microsoft Office on July 12th, 2023. The report points to several vulnerabilities that allow an attack. The Windows operating system and the products Microsoft Outlook, Microsoft Office Online Server, Microsoft Word, Microsoft Office, Microsoft Excel, Microsoft Office 2016, Microsoft Excel 2016, Microsoft SharePoint Server 2019, Microsoft Office 2013 RT, Microsoft Office 2019 for are affected by the vulnerability Mac, Microsoft Office 2019, Microsoft Word 2016, Microsoft 365 Apps, Microsoft SharePoint and Microsoft Outlook 2016.
The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: Microsoft Security Update Guide (Stand: 11.07.2023).
Several Microsoft Office vulnerabilities reported – risk: high
Risk level: 4 (high)
CVSS Base Score: 9,6
CVSS Temporal Score: 8,9
Remoteangriff: Ja
The Common Vulnerability Scoring System (CVSS) is used to assess the severity of security vulnerabilities in computer systems. The CVSS standard makes it possible to compare potential or actual security gaps based on various metrics in order to create a priority list based on this for initiating countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. The Temporal Score also takes into account changes over time with regard to the risk situation. According to the CVSS, the risk of the vulnerability discussed here is rated as “high” with a base score of 9.6.
Microsoft Office Bug: Effects of exploiting the current vulnerabilities
Microsoft 365 Apps is an office suite for numerous office applications.Excel is a spreadsheet program in the Microsoft Office Suite and is available for both Microsoft Windows and Mac OS.The Microsoft Office Suite includes numerous office applications such as word processing, spreadsheets, databases and other applications.Microsoft Office Online Server is a server product that provides browser-based versions of Word, PowerPoint, Excel, and OneNote. Outlook is a personal information manager from Microsoft and is part of the Office Suite. Microsoft Sharepoint Services is a portal system for the central administration of documents and applications. The content is made available via websites, among other things. Microsoft Sharepoint is a portal system for the central administration of documents and applications. The content is made available via websites, among other things. Microsoft Word is a word processing program from Microsoft.
A remote, anonymous attacker can exploit multiple vulnerabilities in various Microsoft Office products to escalate privileges, execute arbitrary code, disclose information, bypass security, or manipulate files.
The vulnerabilities were classified using the CVE reference system (Common Vulnerabilities and Exposures) based on the individual serial numbers CVE-2023-36884, CVE-2023-35311, CVE-2023-33165, CVE-2023-33162, CVE-2023-33161, CVE-2023-33160, CVE-2023-33159, CVE-2023-33158, CVE-2023-33157, CVE-2023-33153, CVE-2023-33152, CVE-2023-33151, CVE-2023-33150, CVE-2023-33149, CVE-2023-33148 und CVE-2023-33134.
Systems affected by the vulnerability at a glance
operating system
Windows
Products
Microsoft Outlook 2013 (cpe:/a:microsoft:outlook)
Microsoft Office Online Server (cpe:/a:microsoft:office_online_server)
Microsoft Word 2013 RT SP1 (cpe:/a:microsoft:word)
Microsoft Outlook 2013 RT SP1 (cpe:/a:microsoft:outlook)
Microsoft Word 2013 SP1 (cpe:/a:microsoft:word)
Microsoft Office 2013 SP1 (cpe:/a:microsoft:office)
Microsoft Office 2013 Click-to-Run (C2R) (cpe:/a:microsoft:office)
Microsoft Excel 2013 SP1 (cpe:/a:microsoft:excel)
Microsoft Excel 2013 RT SP1 (cpe:/a:microsoft:excel)
Microsoft Office 2016 (cpe:/a:microsoft:office_2016)
Microsoft Excel 2016 (cpe:/a:microsoft:excel_2016)
Microsoft SharePoint Server 2019 (cpe:/a:microsoft:sharepoint_server_2019)
Microsoft Office 2013 RT SP1 (cpe:/a:microsoft:office_2013_rt)
Microsoft Office 2019 for Mac (cpe:/a:microsoft:office_2019_for_mac)
Microsoft Office 2019 (cpe:/a:microsoft:office_2019)
Microsoft Word 2016 (cpe:/a:microsoft:word_2016)
Microsoft 365 Apps (cpe:/a:microsoft:365_apps)
Microsoft SharePoint Enterprise Server 2016 (cpe:/a:microsoft:sharepoint)
Microsoft Office LTSC for Mac 2021 (cpe:/a:microsoft:office)
Microsoft Office LTSC 2021 (cpe:/a:microsoft:office)
Microsoft SharePoint Server Subscription Edition (cpe:/a:microsoft:sharepoint)
Microsoft Outlook 2016 (cpe:/a:microsoft:outlook_2016)
Microsoft Office for Universal (cpe:/a:microsoft:office)
General recommendations for dealing with IT vulnerabilities
Users of the affected systems should keep them up to date. When security gaps become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If security patches are available, install them as soon as possible. For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds. If you have any further questions or are unsure, contact your responsible administrator. IT security officers should regularly check when the IT security warning affected manufacturers makes a new security update available.
Sources for updates, patches and workarounds
Here you will find further links with information about bug reports, security fixes and workarounds.
Microsoft Security Update Guide dated 2023-07-11 (12.07.2023)
For more information, see:
Version history of this security alert
This is the initial version of this IT security notice for Microsoft Office. As updates are announced, this text will be updated. You can understand the changes made using the following version history.
07/12/2023 – Initial version
+++ Editorial note: This text was created with AI support based on current BSI data. We accept feedback and comments at [email protected]. +++
follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find the latest news, the latest videos and the direct line to the editors.
roj/news.de