Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions of its Microsoft Office suite over the past 17 years.
Tracked as CVE-2017-11882, the vulnerability resides in the Microsoft Equation Editor (EQNEDT32.EXE), a tool that provides users with the ability to insert and edit mathematical equations inside Office documents.
The bug was discovered by Embedi security researchers as part of very old code in Microsoft Office. The vulnerable version of EQNEDT32.EXE was compiled on November 9, 2000, “without essential protective measures,” the researchers say.
Although the component was replaced in Office 2007 with new methods of displaying and editing equations, Microsoft kept the vulnerable file up and running in the suite, most likely to ensure compatibility with older documents.
“The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the Office processes do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi notes in a research paper (PDF).
EQNEDT32.EXE, the researchers explain, employs a set of standard COM interfaces for Object Linking and Embedding (OLE), an Office feature already known to be abused by cybercriminals.
The researchers discovered they could cause a buffer overflow using a procedure calling a function designed to “copy null-term lines from an internal form to buffer which was sent to it as the first argument.” The bug, the researchers say, can be exploited to achieve arbitrary code execution.
According to Embedi, the use of several OLEs designed to exploit the vulnerability could lead to the execution of an arbitrary sequence of commands, such as downloading a file from the Internet and executing it.
The security researchers claim that they managed to create an exploit that would work with all Office versions released over the past 17 years, including Office 365, and which would impact all Windows versions, including Windows 10 Creators Update. Furthermore, the exploit would work on all architectures.
The most worrying aspect of the vulnerability is that the exploit doesn’t require user interaction for it to work, once the malicious document carrying the code is opened. In fact, the attack would not even interrupt a user’s work with Microsoft Office, the researchers claim.
“The only hindrance here is the protected view mode because it forbids active content execution (OLE/ActiveX/Macro). To bypass it cyber criminals use social engineering techniques. For example, they can ask a user to save a file to the Cloud (OneDrive, GoogleDrive, etc.). In this case, a file obtained from remote sources will not be marked with the MOTW (Mark of The Web) and, when a file is opened, the protected view mode will not be enabled,” Embedi notes.
This vulnerability, the researchers conclude, proves that EQNEDT32.EXE is an obsolete component that may contain other security weaknesses, possibly easily exploitable. Had standard security mitigation been used when compiling the file, the vulnerability wouldn’t be exploitable, the researchers say.
The vulnerability was reported to Microsoft in April 2017. The software giant addressed it this week, as part of its November 2017 Patch Tuesday.