Microsoft Patch Tuesday Release Fixes ‘Unusual’ Number Of Office Bugs: Researcher

While the total number of vulnerabilities addressed in the monthly release of Microsoft security updates is modest, there’s a comparatively high number of Office-related bugs fixed in the release, writes Trend Micro’s Dustin Childs.

While the total number of vulnerabilities fixed in Microsoft’s monthly security updates Tuesday is modest, there’s a comparatively high number of Office-related bugs disclosed in the release, according to a Trend Micro researcher.

Those vulnerabilities include two critical-severity remote code execution flaws, which were addressed as part of Microsoft’s monthly release of software bug fixes, unofficially known as “Patch Tuesday.”

The tech giant fixed 75 new CVEs (Common Vulnerabilities and Exposures) in the release — 12 of which are rated as critical and five of which have seen exploitation in attacks, according to Microsoft.

As usual, the patches address vulnerabilities that affect numerous Microsoft product segments including Windows, Office, Azure, Hyper-V, Microsoft Defender, .NET, Visual Studio, Nuance PowerScribe and Remote Desktop Gateway Service.

In total, “this number of fixes isn’t unusual for May, but it does put Microsoft ahead of where they were at this point last year in regards to CVEs released,” wrote Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, in a post Tuesday.

“It’s also unusual to see so many Office-related bugs getting patched in a single month,” Childs wrote. “Perhaps this is a harbinger of attacks we can expect to see later this year.”

CRN has reached out to Microsoft for comment.

The five vulnerabilities that have seen exploitation in attacks so far are all rated as “important” in terms of severity.

The exploited bugs include three privilege elevation CVEs affecting Windows as well as vulnerabilities affecting Windows DWM (Desktop Window Manager) and the Microsoft Scripting Engine.

While neither of the critical vulnerabilities affecting Office have seen exploitation, the potential for the bugs to be exploited for remote execution of code should make them a priority for patching, Childs wrote.

Additionally, “there’s no user interaction required here, so simply receiving a specially crafted file in the Preview Pane would allow for code execution,” he wrote.

Meanwhile, in terms of other code execution vulnerabilities disclosed by Microsoft Tuesday, “we see a plethora of Office-related bugs, including nine for Excel alone,” Childs wrote, though he noted that “these are only the open-and-own variety, and the Preview Pane is not an attack vector.”