"Vulnerabilities rooted in outdated code can provide an attacker with the ability to execute code on an attacked system through malicious Office documents such as Word, Excel and Outlook," said researchers at Check Point.
Three of the four mentioned vulnerabilities ( CVE-2021-31174, CVE-2021-31178, and CVE-2021-31179 ) were patched by Microsoft last month as part of Patch Tuesday, but the fourth patch for the Memory Usage Post-Release Vulnerability (CVE- 2021-31939) will be released today, June 8th.
In a suspected attack scenario, the fourth vulnerability could be exploited by simply opening a malicious Excel file (.XLS) delivered via a download link or email.
The vulnerabilities exist due to parsing errors in the outdated code of Excel 95 file formats. The problems were discovered during fuzzing MSGraph ("MSGraph.Chart.8"), a relatively little studied component of Microsoft Office that is equivalent to the Equation Editor in terms of the attack surface. The formula editor (this feature is absent in modern versions of Word) has been in the arsenal of several related attackers since at least the end of 2018.
"Because the entire Office suite has the ability to embed Excel objects, this broadens the attack vector by allowing an attack on virtually any Office software, including Word, Outlook, and others," the researchers explained.
Currently, the technical details of the CVE-2021-31939 vulnerability are very limited. This is probably due to allowing the majority of users to install patches and prevent malicious exploits from being created.