Microsoft has released the November 2020 Office security updates with a total of 22 updates and 5 cumulative updates for 7 different products, fixing 14 vulnerabilities with five of them potentially enabling remote attackers to execute arbitrary code on vulnerable systems.
The highlight of this month’s Office security updates is CVE-2020-17061, a high severity Microsoft SharePoint vulnerability discovered by Oleksandr Mirosh from Micro Focus Fortify that leads to remote code execution (RCE).
Attackers could exploit this RCE bug remotely over the Internet in low complexity attacks, requiring only low user privileges and no user interaction for successful exploitation.
CVE-2020-17061 affects several Microsoft SharePoint versions including Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Foundation 2010 Service Pack 2.
The November 2020 Patch Tuesday Office security updates address remote code execution (RCE), security bypass, elevation of privilege, information disclosure, spoofing, and online spoofing vulnerabilities.
Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup
The flaws impact Windows systems running vulnerable Microsoft Installer (.msi) and Click to Run editions of Microsoft Office products.
Microsoft rated the five RCE security flaws patched this month as Important severity issues given that they could enable attackers to execute arbitrary code in the context of the currently logged-in user.
Following successful exploitation, the attackers could install malicious programs, view, change, and delete data, as well as create their own admin accounts on compromised Windows devices.
| Tag | CVE ID | CVE Title | Severity |
| Microsoft Office | CVE-2020-17065 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17064 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17066 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17019 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17067 | Microsoft Excel Security Feature Bypass Vulnerability | Important |
| Microsoft Office | CVE-2020-17062 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17063 | Microsoft Office Online Spoofing Vulnerability | Important |
| Microsoft Office | CVE-2020-17020 | Microsoft Word Security Feature Bypass Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17016 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-16979 | Microsoft SharePoint Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17015 | Microsoft SharePoint Spoofing Vulnerability | Low |
| Microsoft Office SharePoint | CVE-2020-17017 | Microsoft SharePoint Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17061 | Microsoft SharePoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17060 | Microsoft SharePoint Spoofing Vulnerability | Important |
This month’s Microsoft Office security updates are delivered through the Download Center and via the Microsoft Update platform.
To install one of the security updates, click on their corresponding knowledge base article below and then scroll down to the ‘How to download and install the update‘ section to download the updates for your Office product.
Additional information including CVE IDs assigned to each vulnerability is available within the knowledge base articles linked below.
| Product | Knowledge Base article |
|---|---|
| Excel 2016 | Security update for Excel 2016 (KB4486718) |
| Office 2016 | Security update for Office 2016 (KB4484508) |
| Office 2016 | Security update for Office 2016 (KB4486722) |
| Word 2016 | Security update for Word 2016 (KB4486719) |
| Product | Knowledge Base article |
|---|---|
| Excel 2013 | Security update for Excel 2013 (KB4486734) |
| Office 2013 | Security update for Office 2013 (KB4486725) |
| Office 2013 | Security update for Office 2013 (KB4484520) |
| Word 2013 | Security update for Word 2013 (KB4486730) |
| Product | Knowledge Base article |
|---|---|
| Excel 2010 | Security update for Excel 2010 (KB4486743) |
| Office 2010 | Security update for Office 2010 (KB4486737) |
| Office 2010 | Security update for Office 2010 (KB4486738) |
| Office 2010 | Security update for Office 2010 (KB4484534) |
| Office 2010 | Security update for Office 2010 (KB4484455) |
| Word 2010 | Security update for Word 2010 (KB4486740) |
| Product | Knowledge Base article |
|---|---|
| Office Online Server | Security update for Office Online Server (KB4486713) |
| SharePoint Server 2019 | Security update for SharePoint Server 2019 (KB4486714) |
| Product | Knowledge Base article |
|---|---|
| SharePoint Enterprise Server 2016 | Security update for SharePoint Enterprise Server 2016 (KB4486717) |
| Product | Knowledge Base article |
|---|---|
| Office Web Apps Server 2013 | Security update for Office Web Apps Server 2013 (KB4486733) |
| Project Server 2013 | Cumulative update for Project Server 2013 (KB4486729) |
| SharePoint Enterprise Server 2013 | Security update for SharePoint Enterprise Server 2013 (KB4486723) |
| SharePoint Enterprise Server 2013 | Cumulative update for SharePoint Enterprise Server 2013 (KB4486731) |
| SharePoint Foundation 2013 | Security update for SharePoint Foundation 2013 (KB4486733) |
| SharePoint Foundation 2013 | Cumulative update for SharePoint Foundation 2013 (KB4486728) |
| Product | Knowledge Base article title |
|---|---|
| Project Server 2010 | Cumulative update for Project Server 2010 (KB4486739) |
| SharePoint Foundation 2010 | Security update for SharePoint Foundation 2010 (KB4486744) |
| SharePoint Server 2010 | Security update for SharePoint Server 2010 (KB4486706) |
| SharePoint Server 2010 | Cumulative update for SharePoint Server 2010 (KB4486741) |
Also Read: How To Secure Your WiFi Camera? 4 Points To Consider
Yesterday, Microsoft also released the November 2020 Patch Tuesday security updates with security updates for 112 vulnerabilities, 17 of them being rated as critical, 93 as important, and two as moderate severity.
Non-security Windows updates containing bug fixes and feature improvements were also issued with the Windows 10 KB4586786 & KB4586781 Cumulative Updates.
As part of this month’s Patch Tuesday, Microsoft also addressed a Windows Kernel Cryptography Driver zero-day disclosed by Google last month and tracked as CVE-2020-17087.
The bug impacts computers running Windows 7 or later and it was detected last month by Google’s zero-day hunters while being exploited in targeted attacks.
Established in 2018, Privacy Ninja is a Singapore-based IT security company specialising in data protection and cybersecurity solutions for businesses. We offer services like vulnerability assessments, penetration testing, and outsourced Data Protection Officer support, helping organisations comply with regulations and safeguard their data.
Singapore
7 Temasek Boulevard,
#12-07, Suntec Tower One,
Singapore 038987
