Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Excel contains a code execution vulnerability. This specific bug lies in the component of Excel that handles the Microsoft Office HTML and XML file types, first introduced in Office 2000.

Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Microsoft Office Excel Ordinal43 code execution vulnerability (TALOS-2019-0968/CVE-2020-0759)

An exploitable use-after-free vulnerability exists in Excel in Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480. A specially crafted XLS file can cause a use after free condition, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that this vulnerability affects Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52417, 52418