Microsoft released the June 2020 Office security updates, with a total of 19 security updates and 5 cumulative updates for 7 different products, patching 4 critical bugs that enable attackers remotely execute arbitrary code on unpatched systems.
Of the 19 security updates issued this month, 9 of them are addressing remote code execution (RCE) vulnerabilities (details in CVE-2020-1181, CVE-2020-1226, CVE-2020-1225, and CVE-2020-1321) within Excel 2010, Excel 2013, Excel 2016, SharePoint Server 2019, SharePoint Foundation 2010, SharePoint Server 2010, SharePoint Foundation 2013, SharePoint Enterprise Server 2013, and SharePoint Enterprise Server 2016.
These RCE flaws are rated by Microsoft as either Critical or Important severity issues as they could enable attackers to execute arbitrary code in the context of the vulnerable apps after successfully exploiting Windows devices running unpatched Office products.
The threat actors could then install programs, view, change, and delete data, as well as make their own Windows accounts with full user rights on the compromised computers.
Microsoft also patched 7 security feature bypass vulnerabilities in Office 2013, Word 2013, Office 2016, Word 2016, Office 2010, Word 2010 (details available in CVE-2020-1229), as well as 3 information disclosure vulnerabilities found in Project 2016, Project 2013, Project 2010 (more info in CVE-2020-1322).