A few days ago, Microsoft announced that it had repaired the 17-year-old remote code execution bug, which was contained in an executable program called the Microsoft Equation Editor, which is part of the Office software suite.
The CVE-2017-11882 weakness correction comes as part of Tuesday’s November 53 security correction and contains 53 corrections. Vulnerabilities in software used on smartphones, tablets and PCs are placing the user at almost daily risk.
Microsoft has assessed the bug as “significant” in terms of impact, but security researchers at embedi security solutions who discovered the bug described it as “very serious,” following the bug in every version of the Office suite released since 2000, Works with all Windows versions, including Windows 10 Creators Update.
The Equation Editor is assumed to be installed with the Office suite, and the program is used to insert and edit complex equations as OLE binding and embedding elements in Microsoft Word documents, a feature that may never be used by Microsoft Office users.
The Equation Editor software has been in place since November 2000, and has since been included in all versions of the Office suite. The software was adapted in 2007 with a newer version, and the old Associate Editor software within Office was left to support files that used the old EQNEDT32 .EXE.
An additional analysis by Embedi revealed that EQNEDT32.EXE is insecure because it runs outside the Office package when running, and has not taken advantage of security features in Windows 10 and Office such as Control Flow Guard.
Microsoft has introduced a new security feature in Office 2010, which has significantly mitigated the risk of Protected View, which helps protect against such software by reducing the functionality of unknown and unsafe documents.
According to Embedi, the hackers can easily circumvent this protection by first penetrating the user through a disguised phishing attack, disrupting the Protected View feature and then exploiting the bug remotely, with the notable improvement in recent years of hacker skills in social engineering and phishing attacks that today are much more complex Than in 2010.