CVE-2020-0980: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0980) was identified in Microsoft Word software that occurs when the application fails to properly handle objects in memory. The vulnerability was disclosed and patched by Microsoft in April 2020, affecting multiple versions of Microsoft Office products including Office 2010 SP2, Office 2016 for Mac, Office 2019, Office 365 ProPlus, and Office Online Server (NVD, Microsoft Support).

The vulnerability received a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Under CVSS v2.0, it received a base score of 9.3 (High) with the vector (AV:N/AC:M/Au:N/C:C/I:C/A:C). The vulnerability requires user interaction to be exploited (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. If the current user has administrative privileges, the attacker could take control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights (Microsoft Support).

Microsoft released security updates to address this vulnerability as part of their April 2020 security updates. The patches are available through Microsoft Update, Microsoft Update Catalog, and as standalone packages through the Microsoft Download Center. For Office Online Server, after applying the security update, it's recommended to change the logging verbosity from Verbose to Medium using the command 'Set-OfficeWebAppsFarm -LogVerbosity "Medium"' followed by restarting the Office Online Service (Microsoft Support).