-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2020.0039
      Microsoft Patch Day (February 2020) updates for Office products
                             13 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Microsoft Office 2010
                      Microsoft Office 2013
                      Microsoft Office 2016
                      Microsoft Office 2019
                      SharePoint Enterprise Server 2016
                      SharePoint Enterprise Server 2013 SP1
                      SharePoint Server 2019
                      Office 365 ProPlus
                      Office Online Server
Operating System:     Windows
                      Mac OS
Impact/Access:        Administrator Compromise        -- Existing Account            
                      Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Existing Account            
                      Provide Misleading Information  -- Remote/Unauthenticated      
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2020-0759 CVE-2020-0697 CVE-2020-0696
                      CVE-2020-0695 CVE-2020-0694 CVE-2020-0693
Member content until: Saturday, March 14 2020

OVERVIEW

        Microsoft has released its monthly security patch update for the month of February 2020.
        
        This update resolves 6 vulnerabilities across the following products: [1]
        
         Microsoft Excel 2010 Service Pack 2 (32-bit editions)
         Microsoft Excel 2010 Service Pack 2 (64-bit editions)
         Microsoft Excel 2013 RT Service Pack 1
         Microsoft Excel 2013 Service Pack 1 (32-bit editions)
         Microsoft Excel 2013 Service Pack 1 (64-bit editions)
         Microsoft Excel 2016 (32-bit edition)
         Microsoft Excel 2016 (64-bit edition)
         Microsoft Office 2016 for Mac
         Microsoft Office 2019 for 32-bit editions
         Microsoft Office 2019 for 64-bit editions
         Microsoft Office 2019 for Mac
         Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
         Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
         Microsoft Outlook 2013 RT Service Pack 1
         Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
         Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
         Microsoft Outlook 2016 (32-bit edition)
         Microsoft Outlook 2016 (64-bit edition)
         Microsoft SharePoint Enterprise Server 2016
         Microsoft SharePoint Server 2013 Service Pack 1
         Microsoft SharePoint Server 2019
         Office 365 ProPlus for 32-bit Systems
         Office 365 ProPlus for 64-bit Systems
         Office Online Server


IMPACT

        Microsoft has given the following details regarding these vulnerabilities.
        
         Details         Impact                   Severity
         CVE-2020-0693   Spoofing                 Important
         CVE-2020-0694   Spoofing                 Important
         CVE-2020-0695   Spoofing                 Important
         CVE-2020-0696   Security Feature Bypass  Important
         CVE-2020-0697   Tampering                Important
         CVE-2020-0759   Remote Code Execution    Important


MITIGATION

        Microsoft recommends updating the software with the version made available on
        the Microsoft Update Catalogue for the following Knowledge Base articles. [1]
        
         KB4484163, KB4484265, KB4484264, KB4484267, KB4484255
         KB4484254, KB4484259, KB4484156, KB4484250, KB4484256


REFERENCES

        [1] Microsoft Security Update Guide
            https://portal.msrc.microsoft.com/en-us/security-guidance

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXkSyYGaOgq3Tt24GAQjYlQ/+JivN9NQY5uJgEQYkOgIQ0y5MOg7MZV/t
+UAtNHl1QDqP3AOPNbYPUpeG9L1kJfVjjkuNo9MpxFBLKuTNdj4GAU56r+0w2pY8
UmxqqFxss+ss+HextiGlPMPceuFT/8CPhfrAEQTHIOc6njGqhjuVPwUDatu3xvh7
8R1N1pheLcbaAXNbgwAyQkdMeYcNVUy3586zpup5rhwQ9swP2EIOAZ77Ye/OgGz4
v1s3iY7Ir5zmrQo8pgkMf4tv7O1ftOigxKLFinOUN5F2mcXrU64kubpbVIdRchA/
7CPUxXzPMjZVSl20OuTvpCavj9R4cVP99cE/kTry2q+rmx2N1qDgq133z7vhCOJm
6hkUHw4BJ14d1lYjWiUmVoYQln8q/41DY5pJ6OWSoOG6ASPVTJPGEc2PbXranLBr
2lSPhl7YmPSp894ixveOLM9pTuKE6aBsxmgcQUhENQo3sF8IRzawjZ/SWvuU0NSG
m6RIiOF+SCqU1JNaLb7XgHvUny8swcCYt5BG00zLvmYWqr/pZZv/06IXS1NTcb4Y
cLkIswT3cH3Cb/qOHs9K+iqFMd6/32q9505CUg381gG/5WwmTGj4tCkXzoC373qv
ElwtBaSIQs1ttUsn411BlZwfab4SjmP8f1cjPTd45Z4Gksyp8+wXB0ugAZqexvy8
BQ7BUuIS55o=
=ljpU
-----END PGP SIGNATURE-----