Overview of the Microsoft Office Memory Corruption Vulnerability
- The vulnerability is present in the Equation Editor (EQNEDT32.exe), a Microsoft Office component that lets users insert and edit mathematical equations within documents.
- The flaw is prevalent in all Microsoft Office versions since 2000 and up to the latest version, Office 2016. This includes Office 365, the latest version of Windows 10 Creators Update and all architecture types (32-bit and 64-bit.)
- When exploited, it allows for an attacker to install malware or run malicious commands.
How does the vulnerability work?
- When a user opens a malicious document, the vulnerability allows an unauthenticated remote attacker to execute malicious code on the user’s system.
- The security mechanisms and policies of the Office executable processes (i.e. WINWORD.exe, EXCEL.exe, etc.) do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities to successfully target users.
- The vulnerability can be exploited to take control over a system when combined with Windows Kernel privilege escalation exploits (e.g. CVE-2017-11847).
How exposed are you to this vulnerability?
- You probably are if you have not applied the November 2017 security patches which Microsoft has released. A full list of all the security issues can be viewed here: https://cdn.rawgit.com/campuscodi/Microsoft-Patch-Tuesday-Security-Reports/master/Reports/MSRC_CVEs2017-Nov.html
Measures you can take as a priority
- Patch your operating systems, specifically Microsoft's November security patches as soon as possible. Microsoft has addressed the vulnerability by changing how Microsoft Office handles objects in memory.
- Disable registering of components in Windows Registry to prevent Windows from starting the executable file (see below for technical information for how to achieve this).
- Enable 'Protected View' (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macros). More information can be found here: https://support.office.com/en-us/article/What-is-Protected-View-159705a8-9129-423e-940e-ad6e9868277d
- However, also note that this is known to be bypassed by attackers through social engineering techniques - for example, if they ask a user to save a file to cloud-based storage services (OneDrive, Google Drive, Dropbox, etc.). In this case, a file obtained from remote sources will not be marked with the MOTW (Mark of The Web) and, when the file is opened, the protected view mode will not be enabled.
- Email your staff to be vigilant about the heightened and ongoing risk of unexpected/unknown emails containing Microsoft Office attachments and to not click on any arbitrary files downloaded from the Internet.
Other good practices:
- Maintain an up-to-date application inventory (including versions and configuration settings). This will help you to understand if your organisation is exposed to vulnerabilities found in applications / systems. If so, you can quickly apply patches to these systems.
- Regular vulnerability scanning and maintain good patching practices.
- Maintain up-to-date Anti-Virus (AV) signatures and definitions.
- Technical information – disabling registration of components by adding the following two registry keys in the Windows Registry.
- Within Command Prompt, enter the following:
- As for 32-bit Microsoft Office packages running on 64-bit Windows, enter the following in Command Prompt:
Microsoft security advisory – CVE-2017-11882 | Microsoft Office Memory Corruption
News and blog articles: