Home » Cyber Security News » Hackers Revive Microsoft Office Equation Editor Exploit

Hackers Revive Microsoft Office Equation Editor Exploit

Hackers used specially-crafted Microsoft Word documents during the last few months to abuse an Integer Overflow bug that helped them bypass sandbox and anti-malware solutions and exploit the Microsoft Office Equation Editor vulnerability patched 15 months ago.

According to Microsoft’s security advisory, this memory corruption vulnerability tracked as CVE-2017-11882 impacts unpatched Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016.

While the vulnerability was patched as part of the November 2017 Patch Tuesday, successful exploitation leads to arbitrary code run in the context of the current user, but it can also enable potential attackers to completely taking control of compromised systems if the victim is logged on with administrative user rights.

Overflow bug can be chained with any vulnerability

Mimecast’s Meni Farjon, the security researcher who described the inner workings of the bug used to revive the tried-and-tested Equation Editor Exploit, told BleepingComputer that “The bug can be used to carry any payload into an OLE file, so this can be chained to pretty much any Word vulnerabilty. Consider this as a vehicle which can cloak the payload, or a stealth jet armed with any missile.”

According to Farjon, “Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format.”

Once the overflow bug present in the “Object Linking and Embedding (OLE) file format and the way it’s handled in Microsoft Office Word” is triggered and the attackers leverage the Equation Editor Exploit, they can drop any malware payload after gaining administrative user rights either by chaining other vulnerabilities or by taking advantage of the victim’s choice of using an account with full user rights.

OLE Integer Overflow bug left unpatched

During one of the attacks detected by the researcher, the hacking group “dropped a new variant of Java JACKSBOT, a remote access backdoor that could only be active or infect its target if Java was installed. JACKSBOT is capable of taking complete control of the compromised system.”

Although Mimecast contacted Microsoft after discovering this security issue following their Coordinated Vulnerability Disclosure (CVD) and also provided a working proof-of-concept (PoC), Redmond chose not to release a security patch because “the issue on its own does not result in memory corruption or code execution” although it “acknowledged it was unintended behavior.”

“Microsoft did not fix the issue, and did not assign a CVE number to it. Their response was that the issue doesn’t meet the severity bar for servicing via a security update because it doesn’t result in a memory corruption or code execution by itself,” told Farjon to BleepingComputer.

Besides, even though “There is no ‘right’ thing to do here” according to the researcher, “Leaving it undisclosed is bad, because limited attacks can still be happening, but publishing this without a fix might get more attacks to learn and implement that in higher volumes.”

Buy Firewall, Buy Firewall Online, Buy Firewall Online India Buy Firewall, Buy Firewalls Online, Buy Firewall Online in India from IT Monteur's Firewall Firm, Buy Firewall Support, Buy Firewall License & License Renewals

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

Sales Number : +91 9582 90 7788 | Support Number : +91-9654016484
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket