Microsoft Office vulnerabilities patched this month

Out of the 13 Office security updates released by Microsoft today, 12 of them patch RCE vulnerabilities (details in CVE-2020-0850, CVE-2020-0852, and CVE-2020-0892,​​​​​​) within Word 2010, SharePoint Server 2010, SharePoint Foundation 2010, SharePoint Server 2010 Office Web Apps, Word 2013, SharePoint Enterprise Server 2013, SharePoint Foundation 2013, Word 2016, SharePoint Enterprise Server 2016, SharePoint Server 2019 Language Pack, and Office Online Server.

The RCE bugs are rated by Microsoft with a severity rating of 'Important' seeing that they could enable potential attackers to execute arbitrary code and/or commands after successfully exploiting Windows devices running unpatched Office products, as well as take control of devices where the currently logged on user has administrative user rights.

Attackers could then install programs, view, change, and delete data, as well as create new accounts with full user rights on the compromised computers.

Two cross-site-scripting (XSS) vulnerabilities were also patched in SharePoint Enterprise Server 2013 and SharePoint Server 2019 (details in CVE-2020-0795, CVE-2020-0891, CVE-2020-0893, and CVE-2020-0894) that would allow attackers to run scripts in the security context of the current user and impersonate the user, steal sensitive data, or read content without authorization.