Skip to content ↓ | Skip to navigation ↓

Microsoft has patched a 17-year-old bug hidden in its Office suite that attackers can use to execute arbitrary code on vulnerable machines.

The vulnerability resides in Microsoft Equation Editor (EQNEDT32.EXE). It’s a component that allows users to insert and edit equations into Microsoft Word documents as an Object Linking and Embedding (OLE) item. This object consists of internal data and a representative picture in the form of a formula.

Insertion and editing of equations. (Source: Embedi)

EQNEDT32.EXE was first compiled on 9 November 2000. Its relevance persisted across Microsoft Office 2000 and Microsoft 2003. A few years later, the component became outdated with Microsoft Office 2007.

Embedi’s security experts explain it is around that time that the trouble started:

“Still, it was not removed from the package, probably to ensure the software is compatible with documents of older versions. The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the office processes (e.g. WINWORD.EXE, EXCEL.EXE, etc.) do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities….”

In this absence of security mitigations, the researchers discovered a stack-based overflow flaw that an attacker could exploit to execute arbitrary code. They found the easiest way to execute arbitrary code was to launch a file from the WebDAV server controlled by an attacker. The experts also found an attacker could use OLE auto-update to exploit the vulnerability without any user interaction.

Embedi’s exploit works on all Microsoft Office versions released in the past 17 years, all Microsoft Windows versions, and all types of architectures. Below is a demonstration of the exploit for Office 2010 on Windows 7, Office 2013 on Windows 8.1, and Office 2016 on Windows 10:

The researchers at Embedi did come across one issue with exploiting the flaw. But they found it could be easily bypassed with some additional attack techniques:

“The only hindrance here is the protected view mode because it forbids active content execution (OLE/ActiveX/Macro). To bypass it cyber criminals use social engineering techniques. For example, they can ask a user to save a file to the Cloud (OneDrive, GoogleDrive, etc.). In this case, a file obtained from remote sources will not be marked with the MOTW (Mark of The Web) and, when a file is opened, the protected view mode will not be enabled.

“However, if the software had been compiled with at least standard security mitigations, it would have been exploitable. All this demonstrates that EQNEDT32.EXE is an obsolete component that may contain a tremendous number of vulnerabilities and security weaknesses, which can be easily exploited.”

Microsoft first received word of the flaw in March. It subsequently issued a fix for the bug (CVE-2017-11882) in its November Patch Tuesday. You can learn more about this important update here.

For information on how Tripwire’s products can help your organization stay on top of known vulnerabilities found in Microsoft Office and other software suites, click here.

In the meantime, admins might want to consider disabling the EQNEDT32.EXE component altogether using the command prompt.