CVE-2020-17064 Overview
CVE-2020-17064 is a Remote Code Execution (RCE) vulnerability affecting Microsoft Excel and related Microsoft Office products. This vulnerability allows an attacker to execute arbitrary code on the target system when a user opens a specially crafted Excel file. The attack requires local access and user interaction, making it a prime candidate for spear-phishing and social engineering campaigns targeting organizations that rely heavily on Microsoft Office productivity tools.
Critical Impact
Successful exploitation of this vulnerability enables an attacker to execute arbitrary code with the privileges of the current user. If the user has administrative rights, the attacker could install programs, modify data, or create new accounts with full user rights.
Affected Products
- Microsoft 365 Apps for Enterprise
- Microsoft Excel 2010 SP2, 2013 SP1, 2016
- Microsoft Office 2010 SP2, 2013 SP1, 2016, 2019
- Microsoft Office Web Apps 2013 SP1
Discovery Timeline
- November 11, 2020 - CVE-2020-17064 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-17064
Vulnerability Analysis
This Remote Code Execution vulnerability exists within Microsoft Excel's parsing engine when processing specially crafted spreadsheet files. The vulnerability is triggered when a user opens a malicious Excel document, which could be delivered via email attachment, web download, or shared network drive.
The attack requires user interaction (opening the malicious file), which is typical for document-based exploitation vectors in Microsoft Office products. Once the file is opened, the attacker's code executes within the context of the current user's permissions, potentially leading to complete system compromise if the user has elevated privileges.
The vulnerability has demonstrated significant real-world exploitation potential, with an EPSS score placing it in the 94th percentile for likelihood of exploitation in the wild.
Root Cause
The vulnerability stems from improper handling of objects in memory within Microsoft Excel. While Microsoft has not disclosed specific technical details about the root cause (classified as NVD-CWE-noinfo), such vulnerabilities in Office products typically involve memory corruption issues during file parsing operations, where malformed data structures can lead to unexpected code execution paths.
Attack Vector
The attack requires local file access and user interaction. A typical attack scenario involves:
- An attacker crafts a malicious Excel file containing specially constructed data structures
- The malicious file is delivered to the victim via phishing email, compromised website, or file-sharing service
- The victim opens the Excel file, triggering the vulnerability
- Arbitrary code executes with the victim's privileges, potentially allowing full system compromise
The local attack vector with user interaction requirement means that attackers must employ social engineering techniques to convince users to open the malicious document. Common delivery methods include email attachments disguised as invoices, financial reports, or other business documents that users would typically open in Excel.
Detection Methods for CVE-2020-17064
Indicators of Compromise
- Suspicious Excel files with unusual embedded objects or macros received from external sources
- Unexpected child processes spawning from EXCEL.EXE (e.g., cmd.exe, powershell.exe, wscript.exe)
- Anomalous network connections initiated by Excel process
- Unusual file system modifications following Excel document opens
Detection Strategies
- Deploy endpoint detection rules to monitor for suspicious process trees where EXCEL.EXE spawns command interpreters or scripting engines
- Implement email gateway filtering to quarantine Excel attachments from untrusted sources for sandboxed analysis
- Enable Microsoft Office protected view and Application Guard for enhanced document isolation
- Configure SIEM rules to correlate Excel process events with subsequent suspicious activities
Monitoring Recommendations
- Monitor process creation events for child processes of Microsoft Excel with command-line arguments indicating script execution
- Enable Windows Event logging for document open events and track files opened from suspicious locations (temp folders, download directories)
- Implement network monitoring to detect unusual outbound connections from Office processes
How to Mitigate CVE-2020-17064
Immediate Actions Required
- Apply the latest Microsoft security updates for all affected Microsoft Office products immediately
- Enable Microsoft Office Protected View to open documents from untrusted sources in read-only mode
- Implement application allowlisting to prevent unauthorized code execution
- Deploy SentinelOne endpoint protection with behavioral AI to detect and block exploitation attempts
Patch Information
Microsoft has released security updates to address this vulnerability. Organizations should apply the patches available through Windows Update or the Microsoft Update Catalog. Detailed patch information is available in the Microsoft Security Advisory CVE-2020-17064.
For enterprise environments, administrators should prioritize deployment through WSUS, SCCM, or other patch management solutions to ensure comprehensive coverage across all affected systems.
Workarounds
- Configure Microsoft Excel to open files from the Internet in Protected View by default
- Disable preview pane functionality in Windows Explorer to prevent automatic document rendering
- Implement email attachment policies to block or quarantine Excel files from external senders
- Train users to verify document sources before opening Excel attachments
# Example: Configure Protected View via Registry
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableAttachementsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
