July security bug roundup and documentation errors


It’s time for the July roundup of patches for yet more security bugs in Microsoft Office including Office 365 and Office 2016 for Windows plus Office 2013 and 2010. Plus the latest example of confusing documentation errors.

Office 365 and Office 2019

A bug which lets Office Javascript doesn’t check the web page requesting details from Office documents: CVE-2019-1109

Exchange can be tricked into making contacts with invisible names. These contacts could be added, unseen, to conversations allowing someone to read the thread without being known to participants.  Also gives access to SharePoint documents.  CVE-2019-1084  While this is an Exchange issue, patches are necessary for Office as well.

Again, more ‘remote code execution’ bugs, both this months bugs are in Excel CVE-2019-1110 and  CVE-2019-1111

These security bugs also affect earlier versions of Office as listed below.

Update your Office 365/2019 either automatically or manually via File | Account | Update Options | Update now.

Confusing documentation

… case 12,345 and counting <sigh>

This month has another example of Microsoft’s confusing and badly managed patch documentation.  CVE-2019-1084 and related KB4475514 talk about ‘Information Disclosure Vulnerability’. But many or all of the related patch download pages describe a bug that “..could allow arbitrary code to run when a maliciously modified file is opened.” which is a very different thing?

Microsoft Download page at 9 July 2019

What’s up? Microsoft has standard phrasing (‘weasel words’) for all the main security bug types.  Most likely a ‘softie copied the wrong standard wording into the download pages with no one checking.

The download should be OK and fix the real security bug. But when Microsoft security can’t get basic disclosures right, it’s little wonder there’s dropping confidence in their security and patching systems.

Office 2016

Update Office 2016 and earlier using Windows/Microsoft Update when you’re ready.  Given Microsoft’s spotty record you may want to wait a few weeks to see if there’s any bugs in the patches themselves.

Excel 2016                            Security update (KB4475513)

Office 2016                           Security update (KB4475514)

Security update (KB4461539)

Security update (KB4464534)

Outlook 2016                        Security update (KB4475517)

Skype for Business 2016      Security update (KB4475545)

Office 2013

Excel 2013                                    Security update (KB4464565)

Office 2013                                   Security update (KB4018375)

Security update (KB4464558)

Security update (KB4464543)

Outlook 2013                                Security update (KB4464592)

Skype for Business 2015 / Lync 2013            Security update (KB4475519)

Office 2010

Excel 2010            Security update (KB4464572)

Office 2010           Security update (KB4462224)

Outlook 2010        Security update (KB4475509)


Want More?

Office Watch has the latest news and tips about Microsoft Office. Independent since 1996. Delivered once a week.