#VU22685 Permissions, Privileges, and Access Controls in Microsoft Office for Mac and Microsoft Office - CVE-2019-1457

Cybersecurity Help s.r.o.

Published: 2019-11-12

Vulnerability identifier: #VU22685

Vulnerability risk: Medium

CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-1457

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft Office for Mac
Client/Desktop applications / Office applications
Microsoft Office
Client/Desktop applications / Office applications

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to Microsoft Office for Mac does not enforce macro settings on an Excel document. A remote attacker can trick the victim into opening a specially crafted Excel file and gain access to sensitive information or manipulate data.

Note, this vulnerability does not allow remote code execution.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft Office for Mac: 2016

Microsoft Office: 2019 for Mac - 2019

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Security restrictions bypass in Microsoft Office for Mac