Office memory leak finally patched by Microsoft

An astonishingly simple security breach in Microsoft Office has finally been patched two months after Microsoft confirmed the problem.  The unanswered question, why did it take so long to discover it? discovered the ActiveX memory leak back in November 2018 and told Microsoft.  Two months later Microsoft fixed the problem in their January 2019 bundle of security bug fixes.

The security breach involves ActiveX controls which are still supported in Office 2019, 365 and 2016.  You can find them on the Developer Tab under Legacy Tools.

A hacker can send a document with ActiveX controls, get someone to open the document and enable the ActiveX controls.  When the document is saved, a chunk of information memory is saved with the document … a great big no, no.

As Mimecast shows, that info saved to the document could include private information that definitely should not be in a Word document.

Example from Mimecast of OneDrive/SharePoint link wrongly saved in document.

As far as anyone knows, this Office security bug has not been used by hackers.

If you’ve applied the January 2019 bug fixes, specifically the ones for CVE-2019-0560 then you’re OK.  All supported Office for Windows are affected from Office 2010 to Office 2019 and Office 365.

What took so long?

Some security bugs in Office are really complex but others are so simple that you have to wonder what has taken Microsoft so long?

This security leak has been staring Microsoft in the corporate face for years without detection.  Maybe it was too simple and obvious?  It took Mimecast, a third-party, to find it and notify Microsoft.

Mimecast’s description of the bug includes the simple steps to replicate the problem.  All you have to do is make an Office document with some ActiveX controls then open up the raw document and check out the .bin files for each control.