In a blog post, Mimecast explains that the vulnerability is likely to have caused the "widespread, unintended leakage of sensitive information in millions of previously created Office files".
Mimecast said it found the vulnerability while investigating what it initially thought to be a "false positive" malware detection report from one of its customers.
Instead, it turned out Microsoft Office had a memory leak that had the potential to allow for the unintentional disclosure of users' data from any Office suite that was utilising ActiveX.
Microsoft's response
Mimecast said that the vulnerability was classified as "important" by Microsoft, and was patched.
According to Microsoft's classification levels, this means it could have caused the "compromise of the confidentiality, integrity, or availability of a user's data, or of the integrity or availability of processing resources", said Mimecast.
Mimecast reported the vulnerability to Microsoft in November, and it was patched in yesterday's 8 January CVE-2019-0560 patch.
However, Mimecast recommends removing or re-saving files created by vulnerable versions of Office as these files may still be compromised.
