Microsoft addresses important severity remote code execution vulnerabilities affecting multiple Office products in the January 2021 Office security updates released during this month’s Patch Tuesday.
In total, this month the company released 26 security updates and 5 cumulative updates for 7 different products, fixing 11 vulnerabilities that could allow attackers to escalate privileges or execute arbitrary code remotely on systems running vulnerable software.
A separate crash problem affecting the Microsoft 365 Apps version of Excel when using certain Windows Security exploit protection settings was also fixed this week.
Microsoft also released non-security Microsoft Office updates last week addressing recurrent Outlook crashes and other issues impacting Windows Installer (MSI) editions of Office 2016 products.
The company also issued the January 2021 Patch Tuesday, with patches for a Microsoft Defender antivirus zero-day exploited in the wild and 83 additional security vulnerabilities, ten of them rated as critical.
Non-security Windows updates were also released on Tuesday with the Windows 10 KB4598229 and KB4598242 cumulative updates.
List of patched Office security vulnerabilities
Office security updates published as part of the January 2021 Patch Tuesday address bugs exposing Windows systems running vulnerable Click to Run and Microsoft Installer (.msi)-based editions of Microsoft Office products to remote code execution (RCE) attacks.
Microsoft rated the six RCE bugs patched this month as Important severity issues since they could enable attackers to execute arbitrary code in the context of the currently logged-in user.
After successful exploitation, the attackers could install malicious programs, view, change, and delete data, as well as create their own admin accounts on compromised Windows devices.
| Tag | CVE ID | CVE Title | Severity |
| Microsoft Office | CVE-2021-1713 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1714 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1711 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1715 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1716 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1712 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1707 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1718 | Microsoft SharePoint Server Tampering Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1717 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1719 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1641 | Microsoft SharePoint Spoofing Vulnerability | Important |
January 2021 Microsoft Office security updates
Microsoft Office security updates are delivered through the Microsoft Update platform and via the Download Center.
Further information about each of them is available within the knowledge base articles linked below.
To download the January 2021 Microsoft Office security updates, you have to click on the corresponding knowledge base article below and then scroll down to the ‘How to download and install the update‘ section.
Microsoft Office 2016
Microsoft Office 2013
Microsoft Office 2010
Microsoft SharePoint Server 2019
Microsoft SharePoint Server 2016
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2010
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
Email: info@digitpol.com
Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884