Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered two code execution vulnerabilities in Microsoft Excel. Microsoft released updates for these two bugs as part of their Patch Tuesday security update this week. Both vulnerabilities specifically relate to the component in Excel that handles the Microsoft Office

HTML and XML file types. An adversary could exploit these vulnerabilities in such a way that would allow them to execute code on the victim machine after tricking the victim into opening a specially crafted Excel file.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Microsoft Office Excel PivotField code execution vulnerability (TALOS-2020-1027/CVE-2020-1226)

An exploitable use-after-free vulnerability exists in Excel application of Microsoft Office Professional Plus 2016 x86, version 2002, build 12527.20242 and Microsoft Office 365 ProPlus x86, version 1908, build 11929.20606. A specially crafted XLS file can cause a use after free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Office Excel HTML and XML table code execution vulnerability (TALOS-2020-1045/CVE-2020-1225)

An exploitable code execution vulnerability exists in the HTML and XML Table functionality of Excel in Microsoft Office 2016 Professional Plus, version 2002, build 12527.20242 x86 and Microsoft Office 365 Pro Plus x86, version 1908, build 11929.20606. A specially crafted malformed file can cause remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that these vulnerabilities affect Microsoft Excel for 2016 Professional Plus, version 2002, build 12527.20242 x86, tested on Windows 10 x86; and Microsoft Office 365 ProPlus x86, version 1908, build 11929.20606.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 53487, 53488, 53650, 53651