[German]On December 14, 2021 (second Tuesday of the month, Microsoft Patchday), Microsoft has released several security-related updates for still supported Microsoft Office versions and other products. An RCE vulnerability in Excel is closed again. For Microsoft Access, however, an update causes massive problems. Here you can find an overview of the available updates.
General information
The updates apply to the installable MSI version of Office (the click-to-run packages get the updates through other channels). An overview of the updates can be found on this web page (and here for December). Details are documented in the linked KB articles. Office 2019 does not appear in the list because it is distributed via click-to-run packages and receives security updates via the Office Update feature.
Office 2016
The following security updates have been released for Office 2016.
- Excel 2016: Description of the security update for Excel 2016: December 14, 2021 (KB5002098); This security update resolves a remote code execution vulnerability in Microsoft Excel. For more information about this vulnerability, see CVE-2021-43256.
- Office 2016: Description of the security update for Office 2016: December 14, 2021 (KB5002099); This security update resolves a privilege escalation vulnerability in the Microsoft Jet Red database engine and the Access connectivity engine. For more information about this vulnerability, see CVE-2021-42293.
- Office 2016: Description of the security update for Office 2016: December 14, 2021 (KB5002033); This security update resolves a Microsoft Office Trust Center spoofing vulnerability. For more information about this vulnerability, see CVE-2021-43255.
- Office 2016: Description of the security update for Office 2016: December 14, 2021 (KB4504745); This security update resolves a Microsoft Office Trust Center spoofing vulnerability. For more information about this vulnerability, see CVECVE-2021-43255.
- Office 2016: Description of the security update for Office 2016: December 14, 2021 (KB4504710); This security update resolves an information disclosure vulnerability in Visual Basic for Applications. For more information about this vulnerability, see CVE-2021-42295.
Details about the Office updates can be found in the linked KB articles.
Office Update KB5002099 Causes Access Issues
Update KB5002099 fixes vulnerability CVE-2021-42293 in the Microsoft Jet Red database engine and Access connectivity engine that allows elevation of privilege. However, readers of my German blog have reported issues with the Access engine after installing the update.
MS Access no longer works. Databases can now only be edited by one person at a time.
This was confirmed by other readers and another reader mentioned the above update as responsible.
Addendum: Microsoft has confirmed this issue and provided first fixes, see Microsoft confirms issues in all Access versions after December 2021 Update.
Office 2013
Office 2013 requires Service Pack 1 for Microsoft Office 2013 to be installed. The following security updates have been released. The same security vulnerabilities as in Microsoft Office 2016 are fixed.
- Excel 2013: Description of the security update for Excel 2013: December 14, 2021 (KB5002105)
- Office 2013: Description of the security update for Office 2013: December 14, 2021 (KB5002104)
- Office 2013: Description of the security update for Office 2013: December 14, 2021 (KB5002101)
- Office 2013: Description of the security update for Office 2013: December 14, 2021 (KB4486726)
The updates for Office 2013 fix the same vulnerabilities as the updates for Office 2016, where update KB5002104 is also likely to cause the acess issues described above.
Other updates for Office/SharePoint Server
Microsoft has also released security updates for various versions of Microsoft SharePoint Server.
SharePoint Server Subscription Edition
- Office 2013: Description of the security update for Office 2013: December 14, 2021 (KB5002101)
- Office 2013: Description of the security update for Office 2013: December 14, 2021 (KB4486726)
SharePoint Server 2019
- Office Online Server: Description of the security update for Office Online Server: December 14, 2021 (KB5002097)
- SharePoint Server 2019: Description of the security update for SharePoint Server 2019: December 14, 2021 (KB5002054)
- SharePoint Server 2019 Language Pack: Description of the security update for SharePoint Server 2019 Language Pack: December 14, 2021 (KB5002061)
Microsoft SharePoint Server 2016
- SharePoint Enterprise Server 2016: Description of the security update for SharePoint Enterprise Server 2016: December 14, 2021 (KB5002055)
- SharePoint Enterprise Server 2016: Description of the security update for SharePoint Enterprise Server 2016: December 14, 2021 (KB5002059)
Microsoft SharePoint Server 2013
- Office Web Apps Server: Description of the security update for Office Web Apps Server 2013: December 14, 2021 (KB5002103)
- Project Server 2013: December 14, 2021, cumulative update for Project Server 2013 (KB5002067)
- SharePoint Enterprise Server 2013: December 14, 2021, cumulative update for SharePoint Enterprise Server 2013 (KB5002070)
- SharePoint Enterprise Server 2013: Description of the security update for SharePoint Enterprise Server 2013: December 14, 2021 (KB5002008)
- SharePoint Foundation 2013: December 14, 2021, cumulative update for SharePoint Foundation 2013 (KB5002066)
- SharePoint Foundation 2013: Description of the security update for SharePoint Foundation 2013: December 14, 2021 (KB5002071)
- SharePoint Foundation 2013: Description of the security update for SharePoint Foundation 2013: December 14, 2021 (KB5002015)
Similar articles:
Microsoft Office Patchday (December 7, 2021)
Microsoft Security Update Summary (December 14, 2021)
Patchday: Windows 10 Updates (December 14, 2021))
Patchday: Windows 11-Updates (December 14, 2021)
Patchday: Windows 8.1/Server 2012-Updates (December 14, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (December 14, 2021)
Patchday: Microsoft Office December 2021 updates (14.12.2021) causes Access issues
Update fixes Windows AppX installer 0-day vulnerability CVE-2021-43890 (used by Emotet)