CVE-2020-0652
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on systems running vulnerable Microsoft Office software by exploiting memory corruption when handling objects. It affects users who open malicious Office documents, potentially leading to full system compromise.
💻 Affected Systems
- Microsoft Office 2019
- Microsoft Office 2016
- Microsoft Office 2013
- Microsoft Office 2010
- Microsoft 365 Apps for Enterprise
📦 What is this software?
Excel by Microsoft
Excel by Microsoft
Excel by Microsoft
Excel by Microsoft
Excel by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data theft, ransomware deployment, and lateral movement across networks.
Likely Case
Malware installation, credential theft, and persistent backdoor access to the compromised system.
If Mitigated
Limited impact with proper application whitelisting, macro restrictions, and user training preventing malicious document execution.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious document. Proof-of-concept code has been publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in January 2020 (e.g., KB4484381 for Office 2019)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0652
Restart Required: Yes
Instructions:
1. Open Microsoft Office application. 2. Go to File > Account > Update Options > Update Now. 3. Alternatively, use Windows Update to install the latest security updates. 4. Restart the system after installation.
🔧 Temporary Workarounds
Disable Office macro execution
windowsPrevents malicious macros from executing in Office documents
Set GPO: Computer Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Disable all macros without notification
Use Office Viewer mode
windowsOpen documents in Protected View to prevent automatic code execution
Set registry key: HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView = 1
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized Office document execution
- Deploy email filtering to block malicious attachments and train users to avoid opening suspicious documents
🔍 How to Verify
Check if Vulnerable:
Check Office version in File > Account > About [Application]. If version is prior to January 2020 updates, system is vulnerable.Check Version:
wmic product where "name like 'Microsoft Office%'" get versionVerify Fix Applied:
Verify that the January 2020 security update is installed via Windows Update history or Office update status.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Application crashes (Event ID 1000), suspicious child processes spawned from Office applications
- Office telemetry logs showing abnormal document behavior
Network Indicators:
- Outbound connections from Office processes to unknown external IPs
- DNS requests for suspicious domains from Office applications
SIEM Query:
source="windows" event_id=1000 process_name="WINWORD.EXE" OR process_name="EXCEL.EXE" OR process_name="POWERPNT.EXE"