Office Equation Editor Security Bug Runs Malicious Code Without User Interaction

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Microsoft has patched today a huge security hole in Microsoft Office that could be exploited to run malicious code without user interaction on all Windows versions released in the past 17 years.


The vulnerability — tracked as CVE-2017-11882 — was patched today in the November 2017 Patch Tuesday updates.


Vulnerability resides in the old Office equation editor
Discovered by the Embedi research team, the vulnerability affects the Microsoft Equation Editor (EQNEDT32.EXE), one of the executables that is installed on users' computers with the Office suite.

This tool, as the name obviously implies, allows users to embed mathematical equations inside Office documents as dynamic OLE objects.

Embedi discovered that Microsoft was still using a version of the EQNEDT32.EXE file that was compiled on November 9, 2000, meaning it was running on very old code that featured out-of-date libraries and did not use any of the recent security features added to Windows OS releases.

Subsequent sleuthing revealed that the component was replaced by a new equation editor in Office 2007, but Microsoft left the old one inside Office to make sure the Office software suite could open documents that featured equations made in older Office versions.

EQNEDT32.EXE buffer overflow allows remote code execution
A closer look at the file confirmed the researcher's worst fears, as the EQNEDT32.EXE component spawned its own process, outside the main Office process, that did not utilize any of the security features added to Windows 10 or the Office suite.

EQNEDT32-mitigations.png


Using Microsoft's own BinScope binary verification tool, it didn't take long for researchers to find two memory corruption (buffer overflow) vulnerabilities in the EQNEDT32.EXE file.

"By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it)," said the Embedi team today, in a 20-page report they released describing the vulnerability.

"One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker," researchers added.

How to stay safe
As for Windows users, there are a few things they can do to prevent attacks. First and foremost they can apply the recent updates, delivered through KB2553204, KB3162047, KB4011276, and KB4011262.

Second, documents that come with equations created with the old Equation Editor, malicious or not, will show a popup that will prompt the user if he wants to open the file in Protected View mode, an Office state that forbids the execution of any active content (malicious code) contained in the document. Until users have applied the updates, they should make sure to open files in Protected View mode.

Last but not least, users can use two registry keys to disable registering of the legacy equation editor component in the Windows registry.

The two registry keys below will prevent Windows from ever starting the EQNEDT32.EXE file, and indirectly prevent attackers from exploiting it. In your command prompt, type the following:
...
......
..
............
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top