Quote:Microsoft released the April 2020 Office security updates on April 14, 2020, with a total of 55 security updates and 5 cumulative updates for 7 different products, and patching 5 critical bugs allowing attackers to run scripts as the current user and remotely execute arbitrary code on unpatched systems.
Out of the 55 Office security updates released by Microsoft today, 12 of them patch remote code execution (RCE) vulnerabilities (details in CVE-2020-0931, CVE-2020-0932, CVE-2020-0929, CVE-2020-0974, CVE-2020-0979, CVE-2020-0980, CVE-2020-0760, CVE-2020-0991, CVE-2020-0961, CVE-2020-0906, CVE-2020-0920, and CVE-2020-0971) within Microsoft Office and Microsoft Office SharePoint products.
The RCE bugs are rated by Microsoft with Critical and Important severity ratings as they could allow attackers to execute arbitrary code in the context of the SharePoint app pool and the SharePoint server farm account after successfully exploiting Windows devices running unpatched Office products.
Attackers could then install programs, view, change, and delete data, as well as create new accounts with full user rights on the compromised computers.
10 cross-site-scripting (XSS) vulnerabilities (details in CVE-2020-0927, CVE-2020-0923, CVE-2020-0925, CVE-2020-0924, CVE-2020-0930, CVE-2020-0933, CVE-2020-0978, CVE-2020-0973, CVE-2020-0926, and CVE-2020-0954) were also fixed to prevent attackers from running scripts in the security context of the current user and impersonate the user, steal sensitive data, or read content without authorization.
Microsoft also patched two elevation of privilege security flaws (details in CVE-2020-0984 and CVE-2020-0935) and four spoofing vulnerabilities (CVE-2020-0975, CVE-2020-0977, CVE-2020-0976, and CVE-2020-0972).
Read more: https://www.bleepingcomputer.com/news/se...-rce-bugs/
![[-]](https://www.geeks.fyi/images/collapse.png)
