Vulnerability CVE-2019-0560 gives documents that have embedded ActiveX controls the ability to release machine information and user information such as passwords. The vulnerability was first discovered in November and it affects five different versions of Office, including Office 2010, Office 2013, Office 2016, Office 2019, and Office 365 ProPlus that use ActiveX controls. “This memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information. If known, this is the type of data could be useful to cybercriminals for executing a malware-enabled, remote execution attack and at least as important—to steal sensitive information,” said researchers. For an attacker to exploit the vulnerability, they would have to know the memory address of where the object was created. Patches have been released by Microsoft and are listed with an “Important” severity rating.
Users that operate on any affected version with ActiveX controls should download the January 2019 security updates.