{"id":4349,"date":"2017-11-28T09:07:57","date_gmt":"2017-11-28T08:07:57","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=4349"},"modified":"2024-10-05T19:01:03","modified_gmt":"2024-10-05T17:01:03","slug":"hacker-are-misusing-cve-2017-11882-in-office-eqnedt32-exe","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/11\/28\/hacker-are-misusing-cve-2017-11882-in-office-eqnedt32-exe\/","title":{"rendered":"Hacker are misusing CVE-2017-11882 in Office EQNEDT32.EXE"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"http:\/\/www.borncity.com\/blog\/2017\/11\/28\/hacker-nutzen-office-formeleditor-schwachstelle-cve-2017-11882-aus\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Microsoft Office is shipped with old equation editor EQNEDT32.EXE that contains a vulnerability. This vulnerability is used by hacker to distribute malware.<\/p>\n<p><!--more--><\/p>\n<h2>Vulnerability in EQNEDT32.EXE<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/ba71903f7a7f4f0a84e14d1fc494e9f6\" alt=\"\" width=\"1\" height=\"1\" \/>Equation editor EQNEDT32.EXE has a vulnerability that exists since 2000 (see <a href=\"https:\/\/threatpost.com\/microsoft-patches-17-year-old-office-bug\/128904\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> and here). The equation editor EQNEDT32.EXE has been replaced by a new version in 2007. But Microsoft is still shipping EQNEDT32.EXE in all Office versions up to Office 2016 for compatibility reasons (to open documents with old equations).<\/p>\n<p><img decoding=\"async\" title=\"Formeleditor\" src=\"https:\/\/i.imgur.com\/rRvLh7e.jpg\" alt=\"Formeleditor\" \/><\/p>\n<p>Microsoft has patched this vulnerability in EQNEDT32.EXE on patchday (November 14, 2017) in all still supported Office versions.<\/p>\n<blockquote><p>But the patch has been made in an unorthodox way, altering the binary code \u2013 see my blog post <a href=\"https:\/\/borncity.com\/win\/2017\/11\/20\/has-microsoft-lost-access-to-parts-of-office-source-code\/\">Has Microsoft lost access to parts of Office source code?<\/a>.<\/p><\/blockquote>\n<h2>CVE-2017-11882 is used from Cobalt hacker group<\/h2>\n<p>According to <a href=\"https:\/\/web.archive.org\/web\/20171204041952\/http:\/\/www.reversinglabs.com:80\/newsroom\/news\/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a> from Reversing Labs, vulnerability CVE-2017-11882 in EQNEDT32.EXE is actively misused by Cobalt hacker group. The security experts found a modified RTF file addressing this vulnerability, that has been spread via email attachments. Some more details may be found at <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/a-hacking-group-is-already-exploiting-the-office-equation-editor-bug\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bleeping Computer<\/a>.<\/p>\n<h2>Office update and a 0patch fixg<\/h2>\n<p>Microsoft has patched EQNEDT32.EXE on Office 2007 till Office 2016 for MSI installer versions (see <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-11882\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Security Center<\/a>). Security experts from 0patch has contacted me a few days ago. These experts are developing micro patches for 0-day-exploits (see my blog post <a href=\"https:\/\/borncity.com\/win\/2017\/08\/24\/third-party-0patch-closes-foxit-vulnerability\/\">Third party 0patch closes FoxIt vulnerability<\/a>).<\/p>\n<p>0patch has published a few days ago the blog post <a href=\"https:\/\/0patch.blogspot.de\/2017\/11\/official-patch-for-cve-2017-11882-meets.html\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft's Manual Binary Patch For CVE-2017-11882 Meets 0patch<\/a>, describing the vulnerability and a micro patch. More details may be found within the linked article. The odd thing: This 0-day-patch seems not to be released in Office versions before Office 2007.<\/p>\n<blockquote><p>Addendum: After publishing the article above, I received an e-mail from opatch with the following text:\u00a0We read your article on our analysis of the Equation Editor patch\u00a0and would like to clarify that Office 2003 is,\u00a0peculiarly, not vulnerable because for some reason, its Equation Editor\u00a0executable is different and seems to have been built (or manually patched) 5\u00a0years later than the same executable in Office 2007, 2010, 2013 and\u00a02016\/365.<\/p><\/blockquote>\n<p><strong>Similar articles:<br \/>\n<\/strong><a href=\"https:\/\/borncity.com\/win\/2017\/11\/20\/has-microsoft-lost-access-to-parts-of-office-source-code\/\">Has Microsoft lost access to parts of Office source code?<\/a><br \/>\n<a href=\"https:\/\/web.archive.org\/web\/20220926221648\/https:\/\/borncity.com\/win\/2017\/11\/14\/microsoft-patchday-summary-november-14-2017\/\">Microsoft Patchday Summary (November 14, 2017)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2017\/11\/08\/microsoft-office-patchday-november-7-2017\/\">Microsoft Office Patchday (November 7, 2017)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft Office is shipped with old equation editor EQNEDT32.EXE that contains a vulnerability. This vulnerability is used by hacker to distribute malware.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,580],"tags":[125,69],"class_list":["post-4349","post","type-post","status-publish","format-standard","hentry","category-office","category-security","tag-office","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4349"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4349\/revisions"}],"predecessor-version":[{"id":35702,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4349\/revisions\/35702"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}