Office memory leak finally patched by Microsoft

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

An astonishingly simple security breach in Microsoft Office has finally been patched two months after Microsoft confirmed the problem.  The unanswered question, why did it take so long to discover it?

Mimecast.com discovered the ActiveX memory leak back in November 2018 and told Microsoft.  Two months later Microsoft fixed the problem in their January 2019 bundle of security bug fixes.

The security breach involves ActiveX controls which are still supported in Office 2019, 365 and 2016.  You can find them on the Developer Tab under Legacy Tools.

office memory leak finally patched by microsoft microsoft office 25603 - Office memory leak finally patched by Microsoft

A hacker can send a document with ActiveX controls, get someone to open the document and enable the ActiveX controls.  When the document is saved, a chunk of information memory is saved with the document … a great big no, no.

As Mimecast shows, that info saved to the document could include private information that definitely should not be in a Word document.

office memory leak finally patched by microsoft microsoft office 25604 - Office memory leak finally patched by Microsoft

Example from Mimecast of OneDrive/SharePoint link wrongly saved in document.

As far as anyone knows, this Office security bug has not been used by hackers.

If you’ve applied the January 2019 bug fixes, specifically the ones for CVE-2019-0560 then you’re OK.  All supported Office for Windows are affected from Office 2010 to Office 2019 and Office 365.

What took so long?

Some security bugs in Office are really complex but others are so simple that you have to wonder what has taken Microsoft so long?

This security leak has been staring Microsoft in the corporate face for years without detection.  Maybe it was too simple and obvious?  It took Mimecast, a third-party, to find it and notify Microsoft.

Mimecast’s description of the bug includes the simple steps to replicate the problem.  All you have to do is make an Office document with some ActiveX controls then open up the raw document and check out the .bin files for each control.

Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address