July security bug roundup and documentation errors
It’s time for the July roundup of patches for yet more security bugs in Microsoft Office including Office 365 and Office 2016 for Windows plus Office 2013 and 2010. Plus the latest example of confusing documentation errors.
Office 365 and Office 2019
Exchange can be tricked into making contacts with invisible names. These contacts could be added, unseen, to conversations allowing someone to read the thread without being known to participants. Also gives access to SharePoint documents. CVE-2019-1084 While this is an Exchange issue, patches are necessary for Office as well.
Again, more ‘remote code execution’ bugs, both this months bugs are in Excel CVE-2019-1110 and CVE-2019-1111
These security bugs also affect earlier versions of Office as listed below.
Update your Office 365/2019 either automatically or manually via File | Account | Update Options | Update now.
… case 12,345 and counting <sigh>
This month has another example of Microsoft’s confusing and badly managed patch documentation. CVE-2019-1084 and related KB4475514 talk about ‘Information Disclosure Vulnerability’. But many or all of the related patch download pages describe a bug that “..could allow arbitrary code to run when a maliciously modified file is opened.” which is a very different thing?
Microsoft Download page at 9 July 2019
What’s up? Microsoft has standard phrasing (‘weasel words’) for all the main security bug types. Most likely a ‘softie copied the wrong standard wording into the download pages with no one checking.
The download should be OK and fix the real security bug. But when Microsoft security can’t get basic disclosures right, it’s little wonder there’s dropping confidence in their security and patching systems.
Update Office 2016 and earlier using Windows/Microsoft Update when you’re ready. Given Microsoft’s spotty record you may want to wait a few weeks to see if there’s any bugs in the patches themselves.
Excel 2016 Security update (KB4475513)
Office 2016 Security update (KB4475514)
Outlook 2016 Security update (KB4475517)
Skype for Business 2016 Security update (KB4475545)
Excel 2013 Security update (KB4464565)
Office 2013 Security update (KB4018375)
Outlook 2013 Security update (KB4464592)
Skype for Business 2015 / Lync 2013 Security update (KB4475519)
Excel 2010 Security update (KB4464572)
Office 2010 Security update (KB4462224)
Outlook 2010 Security update (KB4475509)