New Word security bugs are more ‘interesting’ than usual

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

Microsoft has just fixed the latest security bugs discovered in Word. They caught our eye because it’s more widespread than usual which is ‘interesting’ in the way of the old proverb*.

The bugs are called CVE-2020-0850, CVE-2020-0851 and CVE-2020-0852 Microsoft gives all the deliberately bland title “Remote Code Execution Vulnerability”.  There have been many, many ‘remote code execution’ security bugs over the years.

Neither of these bugs have been exploited (yet).

Affected Versions

Between the three bugs, these versions are affected:

  • Office 365 for Windows and Mac
  • Office 2019 for Windows and Mac
  • Office 2016 for Windows and Mac
  • Office 2013 for Windows
  • Office Online Server

In other words, any supported Microsoft Office is affected.  All systems should be updated soon but not necessarily right away.

What’s interesting about this bug is the range of software it can affect and the typically misleading and vague information Microsoft gives out.

Office for Mac

Yes, Word for Mac can be affected by these bugs. That’s unusual, normally these security holes are limited to a single operating system but not this time.

Outlook Preview Pane?

According to Microsoft one of this month’s bugs CVE-2020-0852 can also attack a computer via the ‘Preview Pane’.  What does that mean?

Ambiguous excerpt from Microsoft’s CVE-2020-0852

We assume they mean Outlook when they say “Yes, the Preview Pane is an attack vector.”   Is there another ‘Preview Pane’?

CVE-2020-0850 / 1  also mention the ‘Preview Pane’ saying it’s NOT affected.

Microsoft changed the name of the side-pane in Outlook from ‘Preview’ to ‘Reading Pane’ many years ago.  We’ve been gently scolded by ‘softies for using the old terminology so it’s strange that the company itself still uses ‘Preview Pane’ when it suits.

Presumably they are saying that a Word document displayed in the Outlook Reading Pane, not that emails in the reading pane can make use of the security bug. That makes sense since the Word code engine is used by Outlook to display Word docs in the Reading Pane.

But it would be better if Microsoft properly disclosed what they know.

What types of Word documents?

And again, ad nauseum, we see that Microsoft talks vaguely about a “specially crafted file” being used to trigger the security bug.  What type of file?   .doc  .docx  .rtf etc?

Whichever files are affected, they can arrive by any means. Email, cloud share, instant messaging, pony express, whatever.  Microsoft obscures that simple fact in a 135-word paragraph of obfuscation about “attack scenarios”

Copy and Paste documentation

These three security bugs are a good example of how Microsoft uses ‘specially crafted’ bland wording to obscure the severity of problems.

CVE-2020-0850, CVE-2020-0851 and CVE-2020-0852 use the same wording that’s been copied for many similar problems in the past.  Wording that’s designed to downplay and hide Microsoft mistakes.

Sadly, this kind of sloppy documentation of Microsoft security bugs is typical.  They are intended to give the impression of disclosure without really informing customers of the true nature of the problem.

* May you live in interesting times.

Why updating Office is like the Kobayashi Maru a ‘no win scenario’

Two ways to stop Office automatic updates

Microsoft Office non-security updates for January 2020

2019’s top software vulnerabilities featuring Microsoft Office