#VU26852 Input validation error in Microsoft products - CVE-2020-0760

Cybersecurity Help s.r.o.

Published: 2020-04-14

Vulnerability identifier: #VU26852

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-0760

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to the Microsoft Office improperly loads arbitrary type libraries. A remote attacker can trick a victim to open a specially crafted Office document and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 365 ProPlus, 2010 Service Pack 2, 2013 RT - 2013, 2016, 2019

Microsoft Excel: 2010, 2013 RT Service Pack 1, 2013, 2016

Microsoft PowerPoint: 2010 Service Pack 2, 2013 RT Service Pack 1, 2013 Service Pack 1, 2016

Microsoft Visio: 2010, 2013, 2016

Microsoft Word: 2010, 2013 RT Service Pack 1, 2013 Service Pack 1, 2016

Microsoft Access: 2010 Service Pack 2, 2013 Service Pack 1, 2016

Microsoft Project: 2016

Microsoft Outlook: 2010 Service Pack 2, 2013 RT Service Pack 1, 2013 Service Pack 1, 2016

Microsoft Project Server: 2010 Service Pack 2

Microsoft Publisher: 2010

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0760

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Microsoft Office