Rewterz Threat Advisory – Microsoft Multiple Products Multiple Vulnerabilities

SEVERITY: HIGH

CATEGORY: VULNERABILITY

PUBLISH DATE: DECEMBER 17, 2018

ANALYSIS SUMMARY:

CVE-2018-8636: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka “Microsoft Excel Remote Code Execution Vulnerability.” This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel.

CVE-2018-8598: An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka “Microsoft Excel Information Disclosure Vulnerability.” This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel.

CVE-2018-8627: An information disclosure vulnerability exists when Microsoft Excel software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory, aka “Microsoft Excel Information Disclosure Vulnerability.” This affects Microsoft Office, Office 365 ProPlus, Microsoft Excel, Microsoft Excel Viewer, Excel.

CVE-2018-8628: A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in memory, aka “Microsoft PowerPoint Remote Code Execution Vulnerability.” This affects Microsoft Office, Office 365 ProPlus, Microsoft PowerPoint, Microsoft SharePoint, Microsoft PowerPoint Viewer, Office Online Server, Microsoft SharePoint Server.

CVE-2018-8587: A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka “Microsoft Outlook Remote Code Execution Vulnerability.” This affects Office 365 ProPlus, Microsoft Office, Microsoft Outlook.

CVE-2018-8597: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka “Microsoft Excel Remote Code Execution Vulnerability.” This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel.

IMPACT:

System access, Exposure of sensitive information, Remote Code execution

AFFECTED PRODUCTS:

• Microsoft Office PowerPoint Viewer 2007
• Microsoft Office Excel Viewer 2007
• Microsoft Office 2010
• Microsoft Excel 2010
• Microsoft PowerPoint 2010
• Microsoft Outlook 2010
• Microsoft Office Web Apps
• Microsoft PowerPoint 2013
• Microsoft Excel 2013
• Microsoft Outlook 2013
• Microsoft Excel 2013 RT
• Microsoft Office Web Apps 2010
• Microsoft Office Web Apps 2013
• Microsoft Office 2016 for Mac
• Microsoft Outlook 2016
• Microsoft PowerPoint 2016
• Microsoft Excel 2016
• Microsoft PowerPoint 2013 RT
• Microsoft Outlook 2013 RT
• Microsoft Office Online Server Office 365 ProPlus (formerly Microsoft Office 2016 Click-to-Run)
• Microsoft Office 2019
• Microsoft Office 2019 for Mac
• Microsoft Office Compatibility Pack for Word/ Excel/ and PowerPoint 2007 File Formats

REMEDIATION: 

Apply update.

• Microsoft Outlook 2016 (64-bit edition) (KB4461544):

https://www.microsoft.com/downloads/details.aspx?familyid=fccd8998-891d-433d-bb91-a773ceccd75a

• Microsoft Outlook 2016 (32-bit edition) (KB4461544): https://www.microsoft.com/downloads/details.aspx?familyid=d7eba548-70cf-4f64-a0c9-0aaaef43e1bb
• Microsoft Outlook 2010 Service Pack 2 (64-bit editions) (KB4461576): https://www.microsoft.com/downloads/details.aspx?familyid=417962fb-11f5-4ef4-a2be-de1c08553a7a

• Microsoft Outlook 2010 Service Pack 2 (32-bit editions) (KB4461576): https://www.microsoft.com/downloads/details.aspx?familyid=2202bcff-350f-4417-9c7d-1a4408facbeb

• Microsoft Outlook 2013 Service Pack 1 (64-bit editions) (KB4461556): https://www.microsoft.com/downloads/details.aspx?familyid=3eb7b982-fac5-4826-8aff-c0f69f41cb46

• Microsoft Outlook 2013 Service Pack 1 (32-bit editions) (KB4461556):
  https://www.microsoft.com/downloads/details.aspx?familyid=422fc39a-1df7-405c-bb66-071ef837092a

• Microsoft Outlook 2013 RT Service Pack 1 (KB4461556): Apply update (please see the vendor’s service database for details).
• Microsoft Office 2016 for Mac: Microsoft Office 2019 for Mac:

https://go.microsoft.com/fwlink/p/?linkid=831049

• Microsoft Excel 2016 (64-bit edition) (KB4461542):

https://www.microsoft.com/downloads/details.aspx?familyid=f9e1fcef-e346-4eb9-a1ef-097c72d535d1

• Microsoft Excel 2016 (32-bit edition) (KB4461542):

https://www.microsoft.com/downloads/details.aspx?familyid=01c85cb5-0ebe-45dd-9de5-338876b50c24

• Microsoft Office 2010 Service Pack 2 (64-bit editions) (KB4461570): https://www.microsoft.com/downloads/details.aspx?familyid=458a64a4-b7bb-41d1-ac3c-b0e53127ef63

• Microsoft Office 2010 Service Pack 2 (32-bit editions) (KB4461570): https://www.microsoft.com/downloads/details.aspx?familyid=e066c8d0-2dc9-45a9-a4ff-da62fb6ac185

• Microsoft Excel 2010 Service Pack 2 (64-bit editions) (KB4461577): https://www.microsoft.com/downloads/details.aspx?familyid=33d26cc3-6bec-49ad-8724-620671ff58d8

• Microsoft Excel 2010 Service Pack 2 (32-bit editions) (KB4461577): https://www.microsoft.com/downloads/details.aspx?familyid=6b2cc234-f3c6-4234-8b32-d87a73e9cf8c

• Microsoft Excel 2013 Service Pack 1 (64-bit editions) (KB4461559): https://www.microsoft.com/downloads/details.aspx?familyid=c90fc155-ff9d-42d6-aa67-b84ebb39051f
• Microsoft Excel 2013 Service Pack 1 (32-bit editions) (KB4461559): https://www.microsoft.com/downloads/details.aspx?familyid=c792f408-26ea-45c6-acf7-9da8c6a91fce

• Microsoft Excel 2013 RT Service Pack 1 (KB4461559): Apply update (please see the vendor’s service database for details).
• Microsoft Office Compatibility Pack Service Pack 3 (KB4461565): https://www.microsoft.com/downloads/details.aspx?familyid=492374f4-68aa-4053-817d-61ad9231fa09

• Microsoft Excel Viewer 2007 Service Pack 3 (KB4461566): https://www.microsoft.com/downloads/details.aspx?familyid=b08f5cb9-b6cb-4066-aee4-5d4a5891ffc9

• Microsoft Office Web Apps 2010 Service Pack 2 (KB2965312): https://www.microsoft.com/downloads/details.aspx?familyid=201ed47a-5a72-4668-8973-44410fc5b108

• Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions) (KB4461521): https://www.microsoft.com/downloads/details.aspx?familyid=f937563f-c668-4bb1-a688-8e6d5d10cd68

• Microsoft PowerPoint 2016 (64-bit edition) (KB4461532): https://www.microsoft.com/downloads/details.aspx?familyid=98053f4d-c589-45f2-9505-87f82b22eef3

• Microsoft PowerPoint 2016 (32-bit edition) (KB4461532): https://www.microsoft.com/downloads/details.aspx?familyid=c5fe6b58-0fcc-480b-a7b5-787e8263dcf8

• Microsoft Office Web Apps 2013 Service Pack 1 (KB4461551): https://www.microsoft.com/downloads/details.aspx?familyid=0a984f01-1d89-4cae-9af8-31bb8cd99d6a

• Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions) (KB4461481): https://www.microsoft.com/downloads/details.aspx?familyid=523f4031-01d4-40fa-9cff-48df6103673b

• Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions) (KB4461481): https://www.microsoft.com/downloads/details.aspx?familyid=fa6acc26-3be9-42fe-886e-271f8f090bc0

• Microsoft PowerPoint 2013 RT Service Pack 1 (KB4461481): Apply update (please see the vendor’s service database for details).
• Microsoft PowerPoint Viewer (KB2597975):

https://www.microsoft.com/downloads/details.aspx?familyid=162367a2-ffe7-4b7f-a95d-bd414c88784a

• Microsoft Office Compatibility Pack Service Pack 3 (KB4011207): https://www.microsoft.com/downloads/details.aspx?familyid=897c9ced-75be-4159-997c-3e982ff4095d

• Office Online Server (KB4011027): https://www.microsoft.com/downloads/details.aspx?familyid=a839c43a-b677-44c5-99d1-1934f2c0ecac
• Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions) (KB4461521): https://www.microsoft.com/downloads/details.aspx?familyid=699c076c-ee32-4664-ae30-41ac938a1b6d

• Office 365 ProPlus for 32-bit Systems: Apply update (please see the vendor’s service database for details).
• Office 365 ProPlus for 64-bit Systems: Apply update (please see the vendor’s service database for details).
• Microsoft Office 2019 for 64-bit editions: Apply update (please see the vendor’s service database for details).
• Microsoft Office 2019 for 32-bit editions: Apply update (please see the vendor’s service database for details).

  Note: Security updates for Microsoft Outlook 2013 RT and Microsoft Excel 2013 RT are available via e.g. Windows Update or Windows Update Catalog only.