Microsoft has released the January 2019 Office security updates, producing seven security updates and three cumulative updates for five different products, six of them patching flaws allowing remote code execution.
January 2020 Patch Tuesday security updates, with security updates for 49 vulnerabilities, seven of them being classified as Critical and 41 as Important.
Microsoft Office vulnerabilities patches
Out of the seven security updates released by Microsoft for several Office products, six patch remote code execution (RCE) bugs detailed in the CVE-2020-0650 , and CVE-2020-0652 security advisories, and impacting Office 2016, Office 2013, Office 2010, Excel 2016, Excel 2013, and Excel 2010.
The RCE security vulnerabilities patched today received a severity rating of 'Important' from Microsoft given that they could allow potential attackers to execute arbitrary code and/or commands after successfully exploiting vulnerable Windows devices.
Worryingly attackers could then install programs, view, change, and delete data, or create new accounts with full user rights on exposed computers.
The other important security update is CVE-2020-0647 a Microsoft Office Online spoofing vulnerability impacting Office Online Server and is caused by incorrect validation of origin in cross-origin communications.
This is the explanation from Microsoft.
"The attacker who successfully exploited the vulnerability could then perform cross-origin attacks on affected systems,"
"These attacks could allow the attacker to read content that the attacker is not authorized to read, and use the victim's identity to take actions on the site on behalf of the victim. The victim needs to be authenticated for an attacker to compromise the victim."
The January Microsoft Office security updates available via the Download Center and the Microsoft Update platform. Additional info on each of them is available within the linked knowledge base article links.
These threats are significant and we would recommend downloading the updates as soon as possible.