Out of the 55 Office security updates released by Microsoft today, 12 of them patch remote code execution (RCE) vulnerabilities (details in
CVE-2020-0931,
CVE-2020-0932,
CVE-2020-0929,
CVE-2020-0974,
CVE-2020-0979,
CVE-2020-0980,
CVE-2020-0760,
CVE-2020-0991,
CVE-2020-0961,
CVE-2020-0906,
CVE-2020-0920, and
CVE-2020-0971) within Microsoft Office and Microsoft Office SharePoint products.
The RCE bugs are rated by Microsoft with Critical and Important severity ratings as they could allow attackers to execute arbitrary code in the context of the SharePoint app pool and the SharePoint server farm account after successfully exploiting Windows devices running unpatched Office products.
Attackers could then install programs, view, change, and delete data, as well as create new accounts with full user rights on the compromised computers.
10 cross-site-scripting (XSS) vulnerabilities (details in
CVE-2020-0927,
CVE-2020-0923,
CVE-2020-0925,
CVE-2020-0924,
CVE-2020-0930,
CVE-2020-0933,
CVE-2020-0978,
CVE-2020-0973,
CVE-2020-0926, and
CVE-2020-0954) were also fixed to prevent attackers from running scripts in the security context of the current user and impersonate the user, steal sensitive data, or read content without authorization.
Microsoft also patched two elevation of privilege security flaws (details in
CVE-2020-0984 and
CVE-2020-0935) and four spoofing vulnerabilities (
CVE-2020-0975,
CVE-2020-0977,
CVE-2020-0976, and
CVE-2020-0972).
