CVE-2020-1226: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-1226) exists in Microsoft Excel software when the software fails to properly handle objects in memory. The vulnerability was discovered in Microsoft Office Professional Plus 2016 x86 (version 2002, build 12527.20242) and Microsoft Office 365 ProPlus x86 (version 1908, build 11929.20606). The issue was disclosed to the vendor on March 19, 2020, and Microsoft released a patch on June 9, 2020 (Talos Report).

The vulnerability is specifically related to the component responsible for handling Microsoft Office HTML and XML format. A specially crafted XLS file containing malformed HTML/XML tags can trigger a use-after-free condition. The vulnerability received a CVSS v3 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity. The technical analysis revealed that after object deallocation, the null value is not assigned to the pointer related to this object, allowing bypass of protection checks against object reuse (Talos Report).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the target system with the privileges of the current user. Through proper heap grooming, an attacker could gain full control of the use-after-free vulnerability, potentially leading to remote code execution (Talos Report).

Microsoft has released a security update to address this vulnerability. Users should apply the patch KB4484403 for Microsoft Excel 2016 and ensure their Office installations are updated to the latest version (Rapid7).