April 2020 Office security bug fixes

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

Microsoft has released about 113 security bug fixes for Windows and Office in their April 2020 dump of patches on ‘Patch Tuesday’.

The main change is a block on external references in VBA code, a change that hasn’t been fully documented.

These security fixes will be pushed out via Windows Update in the usual way.  Cautious users might like to pause Windows Update for a few weeks to avoid any problems caused by the patches .. an all too common problem.

Two ways to stop Office automatic updates

Why updating Office is like the Kobayashi Maru a ‘no win scenario’

Some of the security bugs that caught our eye …

Excel, Word and Office remote code execution bugs

There are two Excel security patches to block ways to run code from within a workbook:  CVE-2020-0979 and CVE-2020-0906 plus one in Word CVE-2020-0980

Office generally has two more ‘remote code execution’ patches; CVE-2020-0991 and CVE-2020-0760 plus an elevation of privilege patch CVE-2020-0984

Jet database engine

Jet is the database heart of Office products, especially Access and Excel.  Security bugs in Jet are a serious concern because the system, while hidden ‘under the hood’ is widely used.

April 2020 sees TEN security problems fixed:

CVE-2020-0995     CVE-2020-0999

CVE-2020-0988     CVE-2020-0992

CVE-2020-0994     CVE-2020-0953

CVE-2020-0889     CVE-2020-0959

CVE-2020-0960     CVE-2020-1008

Graphics Remote Code bug

The Graphics engine is another vital part of Windows and Office. Any time an image or graphic is put on the screen, the graphics engine is involved. Hackers love making images which trick the engine into running other code.

This month there’s a dozen security patches released.

Most attention is on the Adobe Font Manager fixes: CVE-2020-1020 and CVE-2020-0938

There’s a Critical flag on CVE-2020-0687 a remote code execution bug.

And there’s more!

Many security patches for Windows Media Foundation, three are marked ‘Criticial’.  A Codecs library critical security bug.

Even a ‘elevation of privilege’ bug in OneDrive for Windows, CVE-2020-0935

Microsoft is to blame for WannaCrypt/ransomware and lots of other troubles

Two ways to stop Office automatic updates

Another month, another load of Office security patches

Why Office security patches should always be installed