The following advisory describes an information disclosure found in Microsoft Office versions 2010, 2013, and 2016.
Microsoft Office is: “Whether you’re working or playing, Microsoft is here to help. We’re the company that created Microsoft Office, including Office 365 Home, Office 365 Personal, Office Home & Student 2016, Office Home & Business 2016, and Office Professional 2016. You can also get Office for Mac. Whatever your needs—whether professional or simply for fun—we’ve got you covered. The powerful software in Microsoft Office 2013 remains in Microsoft Office 2016.”
An independent security researcher, Björn Ruytenberg, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Microsoft was informed of the vulnerability, to which they response with:
“Upon investigation, we have determined that this submission does not meet the bar for security servicing. Unfortunately images are commonly used in emails and other locations that are sourced from external sites, those sites can use that request for basic tracking information. Your report about SMBTrap is also a well documented publicly disclosed item and would not meet the bar. In addition the PoC requires a user to disable their security, specifically the Protected View, stating that they trust the source.
As such, this email thread has been closed and will no longer be monitored.”