CVE-2020-16929
📋 TL;DR
CVE-2020-16929 is a remote code execution vulnerability in Microsoft Excel caused by improper memory object handling. An attacker can execute arbitrary code by tricking a user into opening a malicious Excel file. All users running affected Excel versions are vulnerable if they open untrusted files.
💻 Affected Systems
- Microsoft Excel
- Microsoft Office
📦 What is this software?
365 Apps by Microsoft
Excel by Microsoft
Excel by Microsoft
Excel by Microsoft
Excel by Microsoft
Excel Web App by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office Web Apps by Microsoft
Office Web Apps by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, allowing attacker to install malware, steal data, create backdoors, and pivot to other systems.
Likely Case
Limited user account compromise leading to data theft, credential harvesting, and lateral movement within the network.
If Mitigated
No impact if users don't open malicious files or if macros/active content are disabled.
🎯 Exploit Status
Exploitation requires user to open malicious Excel file. Multiple proof-of-concepts exist in security community.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2020 security updates
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16929
Restart Required: Yes
Instructions:
1. Open Excel. 2. Go to File > Account > Update Options > Update Now. 3. Install October 2020 security updates. 4. Restart computer if prompted.
🔧 Temporary Workarounds
Disable automatic opening of Excel files
windowsConfigure Excel to open files in Protected View or disable automatic opening from email/web
Set registry key: HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView with appropriate values
Block Office macros from internet files
windowsPrevent Excel from running macros in files from internet sources
Set GPO: Computer Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Block macros from running in Office files from the Internet
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized Excel execution
- Deploy email filtering to block malicious attachments and train users on phishing awareness
🔍 How to Verify
Check if Vulnerable:
Check Excel version: Open Excel > File > Account > About Excel. If version is before October 2020 updates, system is vulnerable.Check Version:
In Excel: File > Account > About ExcelVerify Fix Applied:
Verify Excel version includes October 2020 updates (e.g., Version 2002 Build 12527.20278 or later for Microsoft 365)📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Excel crashes with memory access violations
- Process creation from Excel spawning unusual child processes
- Office telemetry showing malicious document properties
Network Indicators:
- Outbound connections from Excel process to suspicious IPs
- DNS requests for command and control domains following Excel execution
SIEM Query:
source="windows" event_id=1000 process_name="EXCEL.EXE" | search "Access violation" OR "memory"