Hacker are misusing CVE-2017-11882 in Office EQNEDT32.EXE

[German]Microsoft Office is shipped with old equation editor EQNEDT32.EXE that contains a vulnerability. This vulnerability is used by hacker to distribute malware.


Vulnerability in EQNEDT32.EXE

Equation editor EQNEDT32.EXE has a vulnerability that exists since 2000 (see here and here). The equation editor EQNEDT32.EXE has been replaced by a new version in 2007. But Microsoft is still shipping EQNEDT32.EXE in all Office versions up to Office 2016 for compatibility reasons (to open documents with old equations).


Microsoft has patched this vulnerability in EQNEDT32.EXE on patchday (November 14, 2017) in all still supported Office versions.

But the patch has been made in an unorthodox way, altering the binary code – see my blog post Has Microsoft lost access to parts of Office source code?.

CVE-2017-11882 is used from Cobalt hacker group

According to this article from Reversing Labs, vulnerability CVE-2017-11882 in EQNEDT32.EXE is actively misused by Cobalt hacker group. The security experts found a modified RTF file addressing this vulnerability, that has been spread via email attachments. Some more details may be found at Bleeping Computer.

Office update and a 0patch fixg

Microsoft has patched EQNEDT32.EXE on Office 2007 till Office 2016 for MSI installer versions (see Microsoft Security Center). Security experts from 0patch has contacted me a few days ago. These experts are developing micro patches for 0-day-exploits (see my blog post Third party 0patch closes FoxIt vulnerability).


0patch has published a few days ago the blog post Microsoft's Manual Binary Patch For CVE-2017-11882 Meets 0patch, describing the vulnerability and a micro patch. More details may be found within the linked article. The odd thing: This 0-day-patch seems not to be released in Office versions before Office 2007.

Addendum: After publishing the article above, I received an e-mail from opatch with the following text: We read your article on our analysis of the Equation Editor patch and would like to clarify that Office 2003 is, peculiarly, not vulnerable because for some reason, its Equation Editor executable is different and seems to have been built (or manually patched) 5 years later than the same executable in Office 2007, 2010, 2013 and 2016/365.

Similar articles:
Has Microsoft lost access to parts of Office source code?
Microsoft Patchday Summary (November 14, 2017)
Microsoft Office Patchday (November 7, 2017)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security and tagged , . Bookmark the permalink.

One Response to Hacker are misusing CVE-2017-11882 in Office EQNEDT32.EXE

  1. Pingback: New Campaign Using Old Equation Editor Vulnerability, (Wed, Oct 10th) | Cyberthreat Blog

Leave a Reply

Your email address will not be published. Required fields are marked *