Huge Flaw Discovered in Microsoft Office

In this month’s Patch Tuesday, Microsoft patched a massive vulnerability affecting all Microsoft Office versions released in the past 17 years that allows for malicious code execution. The vulnerability (CVE-2017-11882) affects the Microsoft Equation Editor (EQNEDT32.exe) and was discovered by the Embedi research team.

The Equation Editor is a tool that allows users to embed mathematical equations in Office documents.

The researchers also found that the original Equation Editor was replaced by a new version in Office 2007, but the old one remained as a part of Office to allow documents featuring equations created in older Office versions to be opened.

After noticing that the EQNEDT.exe file spawns its own process unaffected by security features implemented in the Office suite or Windows 10, the Embedi research team was able to use Microsoft’s Binscope to find two buffer overflow vulnerabilities.

You can find more information regarding this vulnerability in Embedi’s full report.

How to protect yourself

Microsoft Office users can do a few things to prevent themselves from being exploited by this attack:

  • Apply the most recent Microsoft Office and Windows Updates.
  • Open documents in Protected View Mode. Users will get a popup asking whether or not they would like to open the file in Protected View Mode if the file contains equations created by the Equation Editor. Protected View Mode prevents the execution of any active content within the document.
  • Users may also disable the execution of the EQNEDT32.exe file by running the following command: reg add “HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400
  • 32-bit Office packages running on 64-bit Windows OS can input the following command: reg add “HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

Sources:

https://www.bleepingcomputer.com/news/security/office-equation-editor-security-bug-runs-malicious-code-without-user-interaction/