CVE-2020-16933 Overview
A security feature bypass vulnerability exists in Microsoft Word software when it fails to properly handle .LNK files. An attacker who successfully exploits this vulnerability could use a specially crafted file to perform actions in the security context of the current user, effectively allowing the file to take actions on behalf of the logged-on user with the same permissions as the current user.
The vulnerability can be exploited through multiple attack vectors. In an email attack scenario, an attacker could send a specially crafted file to a user and convince them to open it. In a web-based attack scenario, an attacker could host a website containing a malicious file designed to exploit this vulnerability. However, user interaction is required as the attacker must convince the victim to click a link and open the specially crafted file.
Critical Impact
Successful exploitation allows attackers to bypass security features and execute actions with the privileges of the current user, potentially leading to complete system compromise through credential theft, malware installation, or lateral movement.
Affected Products
- Microsoft Word 2010 SP2, 2013 SP1, 2016
- Microsoft Office 2016, 2019 (Windows and macOS)
- Microsoft 365 Apps for Enterprise
- Microsoft Windows 7 SP1, 8.1, RT 8.1, 10 (multiple versions)
- Microsoft Windows Server 2008 SP2/R2 SP1, 2012, 2012 R2, 2016, 2019
Discovery Timeline
- 2020-10-16 - CVE-2020-16933 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2020-16933
Vulnerability Analysis
This security feature bypass vulnerability arises from improper handling of .LNK (Windows shortcut) files within Microsoft Word. When a user opens a specially crafted Word document containing or referencing a malicious .LNK file, the application fails to properly validate and restrict the actions that can be performed through these shortcut files.
The vulnerability allows an attacker to circumvent security controls that would normally prevent potentially dangerous operations. Since the malicious actions execute in the security context of the current user, an attacker gains the ability to perform any action the user is authorized to execute, including accessing sensitive files, modifying system configurations, or installing additional malicious payloads.
The network-based attack vector combined with the requirement for user interaction places this vulnerability in a social engineering exploitation category, where attackers must craft convincing lures to trick users into opening malicious documents.
Root Cause
The root cause of this vulnerability is improper input validation and security control enforcement when Microsoft Word processes .LNK files embedded in or referenced by Word documents. The application fails to adequately sanitize or restrict the capabilities of shortcut files, allowing them to bypass intended security boundaries designed to protect users from malicious document-based attacks.
Attack Vector
The vulnerability can be exploited through two primary attack scenarios:
Email-based Attack: The attacker sends a phishing email containing a specially crafted Word document with a malicious .LNK file. When the victim opens the document, the vulnerability is triggered, allowing the attacker to execute actions with the user's privileges.
Web-based Attack: The attacker hosts a malicious Word document on a website (or leverages a compromised site that accepts user-uploaded content). The attacker then uses social engineering techniques to convince the victim to visit the site and download/open the malicious file.
In both scenarios, the attack chain requires user interaction—the victim must be convinced to open the specially crafted document. Once opened, the malicious .LNK file bypasses security protections and executes in the context of the logged-on user.
Detection Methods for CVE-2020-16933
Indicators of Compromise
- Word documents containing embedded or referenced .LNK files from untrusted sources
- Unusual process spawning from WINWORD.EXE process, particularly command shells or scripting engines
- Suspicious network connections initiated after opening Word documents
- Unexpected file modifications or registry changes following document access
Detection Strategies
- Monitor for Microsoft Word spawning child processes such as cmd.exe, powershell.exe, or wscript.exe
- Implement email gateway rules to scan and flag Word documents containing embedded shortcut files
- Deploy endpoint detection rules to identify .LNK file processing anomalies within Office applications
- Analyze document metadata and embedded objects for suspicious shortcut file characteristics
Monitoring Recommendations
- Enable enhanced logging for Microsoft Office applications to capture file access and process creation events
- Configure SIEM alerts for unusual process hierarchy patterns originating from Word processes
- Monitor network traffic for connections initiated by Office processes to external destinations
- Implement user behavior analytics to detect anomalous document access patterns
How to Mitigate CVE-2020-16933
Immediate Actions Required
- Apply the Microsoft security update addressing CVE-2020-16933 immediately
- Enable Protected View for documents originating from the Internet or email attachments
- Configure Microsoft Defender to block execution of untrusted Office macros and embedded objects
- Educate users about the risks of opening documents from untrusted sources
Patch Information
Microsoft has released a security update that corrects how Microsoft Word handles .LNK files. The patch is available through:
- Windows Update
- Microsoft Update Catalog
- Microsoft Security Advisory CVE-2020-16933
Organizations should prioritize deployment of this update across all affected Microsoft Word and Office installations, including both Windows and macOS platforms.
Workarounds
- Configure Group Policy to block .LNK files embedded in Office documents
- Enable Application Guard for Office to isolate potentially malicious documents
- Restrict users from opening Office documents from untrusted locations without administrator approval
- Implement strict email attachment filtering to quarantine suspicious Word documents
# Example: Configure Office Protected View via Registry
# Enable Protected View for files from the Internet
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v EnableInternetFilesInPV /t REG_DWORD /d 1 /f
# Enable Protected View for Outlook attachments
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v EnableAttachmentsInPV /t REG_DWORD /d 1 /f
# Enable Protected View for files in unsafe locations
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v EnableUnsafeLocationsInPV /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
