CVE-2020-16933
📋 TL;DR
CVE-2020-16933 is a security feature bypass vulnerability in Microsoft Word that allows specially crafted .LNK files to execute actions with the current user's permissions. Attackers can exploit this by tricking users into opening malicious files via email or compromised websites. This affects users running vulnerable versions of Microsoft Word.
💻 Affected Systems
- Microsoft Word
📦 What is this software?
365 Apps by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
Word by Microsoft
Word by Microsoft
Word by Microsoft
Word by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of user account leading to data theft, malware installation, lateral movement within network, and privilege escalation if user has administrative rights.
Likely Case
Malware execution, credential theft, or data exfiltration from the compromised user's system.
If Mitigated
Limited impact with proper email filtering, user awareness training, and application whitelisting preventing malicious file execution.
🎯 Exploit Status
Exploitation requires user interaction to open malicious file. No authentication bypass needed as attack targets the user's session.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2020 security updates for Microsoft Office
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16933
Restart Required: Yes
Instructions:
1. Apply October 2020 Microsoft Office security updates through Windows Update or Microsoft Update. 2. Restart affected systems. 3. Verify update installation in Control Panel > Programs > Programs and Features > View installed updates.
🔧 Temporary Workarounds
Block .LNK files via email filtering
allConfigure email security gateways to block or quarantine emails containing .LNK attachments.
Disable .LNK file handling in Word
windowsConfigure Group Policy or registry settings to prevent Word from opening .LNK files.
Registry: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock\LNKFiles = 2
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized executable execution
- Enforce user awareness training about opening suspicious email attachments
🔍 How to Verify
Check if Vulnerable:
Check Office version against Microsoft's October 2020 security bulletin. Vulnerable if running affected Word versions without October 2020 updates.Check Version:
In Word: File > Account > About Word shows version. Command line: wmic product where "name like 'Microsoft Office%'" get versionVerify Fix Applied:
Verify Office version is updated to October 2020 or later security updates. Check Windows Update history for KB4579978 or later Office security updates.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Process creation events for suspicious child processes from WINWORD.EXE
- Office telemetry logs showing .LNK file opens
Network Indicators:
- Outbound connections from Word process to suspicious domains
- DNS queries for command and control infrastructure
SIEM Query:
Process Creation where ParentImage contains "WINWORD.EXE" and (CommandLine contains ".lnk" or Image contains suspicious executables)