After 17 years, Microsoft has officially released a fix to a known vulnerability in the Microsoft Office Suite that is installed on the system by default
In last Tuesday’s patch update, Microsoft included an update to a 17 year old remote code execution vulnerability that was found within the Office Suite – Microsoft Equation Editor. This vulnerability listed as CVE-2017-11882 was patched during the November update release along with 52 other fixes.
The official severity ranking given to this vulnerability by Microsoft was only ‘important’ but researchers at Embedi – who found the bug – call it ‘extremely dangerous.’
On Tuesday, Embedi researchers released a report starting that the vulnerability is a real threat because all versions of Microsoft Office over the past 17 years are vulnerable and that the CVE ‘works with all Microsoft Windows versions ( including Microsoft Windows 10 Creators Update ).’
This executable, Microsoft Equation Editor is installed by default with the Office suite. The purpose of the application is to insert and edit various complex equations as ‘Object Linking and Embedding ( OLE )’ items in Microsoft Word documents.
The original instances of this application was from November of 2000 when it was first compiled and included in the suite. Researchers had noted that in 2007 the component was replaced with an updated version but that the original Equation Editor was left in the installation to be backwards compatible and support older files that used the OLE-based equations.
Embedi continued to dig, discovering that the EQNEDT32.EXE file was additionally unsafe because when ran, the application operated outside of Office and did not benefit from the Windows 10 and other Office security features such as Control Flow Guard.
“The component is an OutProc COM server executed in a separate address space. This means that security mechanisms and policies of the office processes (e.g. WINWORD.EXE, EXCEL.EXE, etc.) do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi wrote.
How Was It Found and What Can It Do?
Surprisingly, the researchers as Embedi discovered this vulnerability by using Microsoft’s BinScope tool which reported EQNEDT32.EXE as a vulnerable executable. BinScope is an application that analyzes files on the system to see if they meet or pass different standards that have been set by Microsoft’s Security Development Lifecycle – one of the main elements of Microsoft’s Trustworthy Computing campaign.
Embedi exploited this vulnerability by using two different buffer overflows that uses some of the OLE’s. ‘By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands ( e.g. to download an arbitrary file from the internet and executre it’, researchers said.
As part of the research, a proof-of-concept was created that effectively attacks all version of Office dating back to 2000, including Office 365 running on all current versions of Microsoft ( 7, 8.1, 10, etc ).
Microsoft reports that the CVE is a memory corruption vulnerability stating – “Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file”.
Our thoughts and the Researchers at Embedi recommendations are to download the patch from Microsoft that fixes the Equation Editor and if you wish to be more proactive or if you are running or operating as IT for a company to completely disable EQNEDT32.EXE from within the Windows registry.
“Because the component has numerous security issues and the vulnerabilities it contains can be easily exploited, the best option for a user to ensure security is to disable registering of the component in Windows registry,” researchers wrote.