Hackers Revive Microsoft Office Equation Editor Exploit

Hackers used specially-crafted Microsoft Word documents during the last few months to abuse an Integer Overflow bug that helped them bypass sandbox and anti-malware solutions and exploit the Microsoft Office Equation Editor vulnerability patched 15 months ago.

According to Microsoft’s security advisory, this memory corruption vulnerability tracked as CVE-2017-11882 impacts unpatched Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016.

While the vulnerability was patched as part of the November 2017 Patch Tuesday, successful exploitation leads to arbitrary code run in the context of the current user, but it can also enable potential attackers to completely taking control of compromised systems if the victim is logged on with administrative user rights.

Overflow bug can be chained with any vulnerability

Mimecast’s Meni Farjon, the security researcher who described the inner workings of the bug used to revive the tried-and-tested Equation Editor Exploit, told BleepingComputer that “The bug can be used to carry any payload into an OLE file, so this can be chained to pretty much any Word vulnerabilty. Consider this as a vehicle which can cloak the payload, or a stealth jet armed with any missile.”

According to Farjon, “Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format.”

Once the overflow bug present in the “Object Linking and Embedding (OLE) file format and the way it’s handled in Microsoft Office Word” is triggered and the attackers leverage the Equation Editor Exploit, they can drop any malware payload after gaining administrative user rights either by chaining other vulnerabilities or by taking advantage of the victim’s choice of using an account with full user rights.

OLE Integer Overflow bug left unpatched

During one of the attacks detected by the researcher, the hacking group “dropped a new variant of Java JACKSBOT, a remote access backdoor that could only be active or infect its target if Java was installed. JACKSBOT is capable of taking complete control of the compromised system.”

Although Mimecast contacted Microsoft after discovering this security issue following their Coordinated Vulnerability Disclosure (CVD) and also provided a working proof-of-concept (PoC), Redmond chose not to release a security patch because “the issue on its own does not result in memory corruption or code execution” although it “acknowledged it was unintended behavior.”

“Microsoft did not fix the issue, and did not assign a CVE number to it. Their response was that the issue doesn’t meet the severity bar for servicing via a security update because it doesn’t result in a memory corruption or code execution by itself,” told Farjon to BleepingComputer.

Besides, even though “There is no ‘right’ thing to do here” according to the researcher, “Leaving it undisclosed is bad, because limited attacks can still be happening, but publishing this without a fix might get more attacks to learn and implement that in higher volumes.”