Microsoft has patched today a huge security hole in Microsoft Office that could be exploited to run malicious code without user interaction on all Windows versions released in the past 17 years.

The vulnerability — tracked as CVE-2017-11882 — was patched today in the November 2017 Patch Tuesday updates.

Vulnerability resides in the old Office equation editor

Discovered by the Embedi research team, the vulnerability affects the Microsoft Equation Editor (EQNEDT32.EXE), one of the executables that is installed on users' computers with the Office suite.

This tool, as the name obviously implies, allows users to embed mathematical equations inside Office documents as dynamic OLE objects.

Embedi discovered that Microsoft was still using a version of the EQNEDT32.EXE file that was compiled on November 9, 2000, meaning it was running on very old code that featured out-of-date libraries and did not use any of the recent security features added to Windows OS releases.

Subsequent sleuthing revealed that the component was replaced by a new equation editor in Office 2007, but Microsoft left the old one inside Office to make sure the Office software suite could open documents that featured equations made in older Office versions.

EQNEDT32.EXE buffer overflow allows remote code execution

A closer look at the file confirmed the researcher's worst fears, as the EQNEDT32.EXE component spawned its own process, outside the main Office process, that did not utilize any of the security features added to Windows 10 or the Office suite.

EQNEDT32.EXE properties

Using Microsoft's own BinScope binary verification tool, it didn't take long for researchers to find two memory corruption (buffer overflow) vulnerabilities in the EQNEDT32.EXE file.

"By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it)," said the Embedi team today, in a 20-page report they released describing the vulnerability.

"One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker," researchers added.

PoC exploit worked on all recent Windows/Office versions

The exploitation chain Embedi experts devised worked on all Microsoft Office versions (including Microsoft Office 365), and with all the Microsoft Windows versions released in the past 17 years.

In addition, it worked on all types of architectures (32-bit and 64-bit), did not interrupt the user's Microsoft Office workflow, and did not require any user interaction.

Researchers released a YouTube video of attacks on three different Office and Windows versions (Office 2010 on Windows 7, Office 2013 on Windows 8.1, and Office 2016 on Windows 10):

"All this demonstrates that EQNEDT32.EXE is an obsolete component that may contain a tremendous number of vulnerabilities and security weaknesses, which can be easily exploited," Embedi researchers said.

Other older apps may feature similar security flaws

They also suggested that other similarly ancient Windows components that have been moved from platform to platform without receiving updates or a new codebase are in a similar situation and may also expose users to attacks.

The Embedi team hinted that components like the ones below should be investigated further:

⑉ ODBC drivers and Redshift libraries (compiled without essential protective measures).
⑉ ODBC drivers and Salesforce libraries (compiled without essential protective measures).
⑉ Some .net compilations responsible for Microsoft Office user interface.

How to stay safe

As for Windows users, there are a few things they can do to prevent attacks. First and foremost they can apply the recent updates, delivered through KB2553204, KB3162047, KB4011276, and KB4011262.

Second, documents that come with equations created with the old Equation Editor, malicious or not, will show a popup that will prompt the user if he wants to open the file in Protected View mode, an Office state that forbids the execution of any active content (malicious code) contained in the document. Until users have applied the updates, they should make sure to open files in Protected View mode.

Last but not least, users can use two registry keys to disable registering of the legacy equation editor component in the Windows registry.

The two registry keys below will prevent Windows from ever starting the EQNEDT32.EXE file, and indirectly prevent attackers from exploiting it. In your command prompt, type the following:

reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

For 32-bit Microsoft Office packages running on 64-bit Windows, type the following:

reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

The vulnerability, as described by Embedi researchers, is a gold mine for both APT groups and day-to-day malware distribution campaigns. We've certainly not heard the last of CVE-2017-11882.