Microsoft Patches 17 year old MS Office Memory Corruption Flaw

Threat Summary

This blog is regarding a memory corruption vulnerability in the equation editor of Microsoft Office that affects all versions from 2000 to Office 365. The vulnerability is being tracked as CVE-2017-11882 and was discovered and reported to Microsoft by a Security Researcher at Embedi on August 3^rd. Information on the vulnerability wasn’t publically released until Microsoft patched it this month during their November 14^th patch Tuesday.

We’ve seen several cases of it in the wild being exploited by threat actors on a much more frequent basis. Here are some of the statistics from the research performed by our labs team.

• There were over 500 unique samples submitted to various threat intelligence systems between November 20^th and November 30^th.
• 70% of those samples were in Rich Text Format (.rtf extension)

The first 5 samples were identified by VirusTotal on November 20^th and have significantly increased by November 30^th. The graph below shows the greatest amount of unique samples submitted by day.

This is a quick video from Embedi demonstrating the exploit on the latest versions of MS Office where the “malicious” word doc executes calc.exe (for proof of concept). Note that there is no user interaction required once the document is opened.

Threat Detection

Our labs team was able to analyze several samples in the wild and extract indicators of compromise (IOCs) from those and we’re tracking those IOCs in a private pulse. We’ve also subscribed our clients to a couple public pulses that specifically relate to attacks by the Cobalt Group whom are exploiting CVE-2017-11882 with CobaltStrike. The Cobalt Group is known to specifically target banks and financial institutions in Europe and Asia.

Threat Prevention

Microsoft released patches to remediate the vulnerability on November 17^th. The most effective way of protecting yourself is to ensure you’re Microsoft OS and Office products are up to date.

KB4011276 – patches MS Office 2007 SP3: https://www.microsoft.com/en-us/download/details.aspx?id=56240

KB2553204 – patches MS Office 2010 SP2 32bit: https://www.microsoft.com/en-us/download/details.aspx?id=56215

KB4011618 – patches MS Office 2010 SP2 64bit: https://www.microsoft.com/en-us/download/details.aspx?id=56267

KB3162047 – patches MS Office 2013 SP1 32bit: https://www.microsoft.com/en-us/download/details.aspx?id=56206

KB3162047 – patches MS Office 2013 SP1 64bit: https://www.microsoft.com/en-us/download/details.aspx?id=56207

KB4011262 – patches MS Office 2016 32bit: https://www.microsoft.com/en-us/download/details.aspx?id=56251

KB4011262 – patches MS Office 2016 64bit: https://www.microsoft.com/en-us/download/details.aspx?id=56250

Optionally (and it’s not a bad idea), you can enforce “protected view” in your office products. Protected view is a read-only mode that the document will open it, which will prevent the execution of active content (including equations) until the user enables editing of the document.

There is more information on the Protected View here where you’ll also find help on group policy implementation if desired: https://technet.microsoft.com/en-us/library/ee857087.aspx

Further Technical Details

If interested in the complete details of that whitepaper, it can be found here: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/

The specific vulnerability lies within EQNEDT32.EXE, a very legacy component that was maintained for backwards compatibility, which provides the function to insert and edit equations (an OLE object) within documents.

One of the main reasons for the success of the exploit is that EQNEDT32.exe spawns it’s own process outside of the main WINWORD.exe process. Therefore it doesn’t utilize any of the Windows 10 or Office security features.

Additionally, the component has a memory corruption flaw that can be exploited quite easily allowing an attacker to execute malicious code upon opening the document — no other user interaction is necessary. Here’s an excerpt from the article that provides an example of how a malicious payload could be downloaded and executed: