Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Uncategorized

Microsoft Patches 17 Year-Old Vulnerability in Office

Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions of its Microsoft Office suite over the past 17 years.

Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions of its Microsoft Office suite over the past 17 years.

Tracked as CVE-2017-11882, the vulnerability resides in the Microsoft Equation Editor (EQNEDT32.EXE), a tool that provides users with the ability to insert and edit mathematical equations inside Office documents.

The bug was discovered by Embedi security researchers as part of very old code in Microsoft Office. The vulnerable version of EQNEDT32.EXE was compiled on November 9, 2000, “without essential protective measures,” the researchers say.

Although the component was replaced in Office 2007 with new methods of displaying and editing equations, Microsoft kept the vulnerable file up and running in the suite, most likely to ensure compatibility with older documents.

“The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the Office processes do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi notes in a research paper (PDF).

EQNEDT32.EXE, the researchers explain, employs a set of standard COM interfaces for Object Linking and Embedding (OLE), an Office feature already known to be abused by cybercriminals.

The researchers discovered they could cause a buffer overflow using a procedure calling a function designed to “copy null-term lines from an internal form to buffer which was sent to it as the first argument.” The bug, the researchers say, can be exploited to achieve arbitrary code execution.

According to Embedi, the use of several OLEs designed to exploit the vulnerability could lead to the execution of an arbitrary sequence of commands, such as downloading a file from the Internet and executing it.

Advertisement. Scroll to continue reading.

The security researchers claim that they managed to create an exploit that would work with all Office versions released over the past 17 years, including Office 365, and which would impact all Windows versions, including Windows 10 Creators Update. Furthermore, the exploit would work on all architectures.

The most worrying aspect of the vulnerability is that the exploit doesn’t require user interaction for it to work, once the malicious document carrying the code is opened. In fact, the attack would not even interrupt a user’s work with Microsoft Office, the researchers claim.

“The only hindrance here is the protected view mode because it forbids active content execution (OLE/ActiveX/Macro). To bypass it cyber criminals use social engineering techniques. For example, they can ask a user to save a file to the Cloud (OneDrive, GoogleDrive, etc.). In this case, a file obtained from remote sources will not be marked with the MOTW (Mark of The Web) and, when a file is opened, the protected view mode will not be enabled,” Embedi notes.

This vulnerability, the researchers conclude, proves that EQNEDT32.EXE is an obsolete component that may contain other security weaknesses, possibly easily exploitable. Had standard security mitigation been used when compiling the file, the vulnerability wouldn’t be exploitable, the researchers say.

The vulnerability was reported to Microsoft in April 2017. The software giant addressed it this week, as part of its November 2017 Patch Tuesday.

Related: Microsoft Patches 20 Critical Browser Vulnerabilities

Related: Microsoft Patches Office, IE Flaws Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Management & Strategy

Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Ransomware

A new CISA pilot program to warn critical infrastructure organizations if their systems are unpatched against vulnerabilities exploited in ransomware attacks.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.

Cybersecurity Funding

Silk Security raised $12.5 million in seed funding and is on a mission to break down the silos between security and development with an...

Uncategorized

ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.

Uncategorized

Exploitation of a critical vulnerability (CVE-2023-46747) in F5’s  BIG-IP product started less than five days after public disclosure and PoC exploit code was published.

Uncategorized

Thomas McCormick, aka fubar, an administrator of the Darkode hacking forum, has been sentenced to 18 months in prison.