Microsoft Vulnerability was Discovered after 17 Years Hidden


Currently there are many veteran software developments; this opens the door to bugs and security flaws that are present for years. But I’m here to talk about a new Microsoft vulnerability which was a surprise for all. Not even the big ones scape from mistakes!

First Microsoft vulnerability after 17 years hidden

This is what has happened to the Office suite Microsoft Office, which found a security problem whose origin is a component. In turn, it allows attackers to install malware remotely without the need for the user to give their consent.

Being more specific, Microsoft’s vulnerability is memory corruption in the Dynamic Data Exchange (DDE) feature. This was not patched at the time and has been present in Microsoft Office for 17 years.

It can be executed on all the versions of the published suite since then, including Office 365. And it works on any version of Windows, including the most recent Windows 10 Creators Update.

Discovered by the  Embedi security research company, Microsoft’s vulnerability opens the door to remote code execution. It in turn allows an unauthenticated attacker to execute malicious code on the target system without requiring interaction with the user.

To do this, you only need to open a specifically designed malicious Office document that exploits it. It is identified as with the code CVE-2017-11882, it resides in the executable EQNEDT32.EXE, a component of Microsoft Office responsible for the insertion and editing of equations in the form of OLE objects within the documents.

The component fails to handle objects correctly in memory, resulting in corruption that a hacker can take.

In this way, it executes a malicious code in the context of the user. Introduced in Microsoft Office 2000, the Redmond giant has kept the executable EQNEDT32.EXE in order to offer good compatibility with old documents. So, this is something that became even more important after the arrival of Microsoft Office 2007 and the new OOXML format (DOCX, XLSX …).

How to fix this Microsoft vulnerability?

Microsoft patched this vulnerability after releasing its monthly package of security updates, so it would be convenient to apply it as soon as possible to eliminate it.

On the other hand, security can be better by enabling the Microsoft Office sandbox. And the execution of the following commands that disable the registration of the component in the Windows Registry:

  • reg add “HKLM \ SOFTWARE \ Microsoft \ Office \ Common \ COM Compatibility \ {0002CE02-0000-0000-C000-000000000046}” / v “Compatibility Flags” / t REG_DWORD / d 0x400

In case of using Office of 32 bits on a Windows of 64 bits, the command would be:

  • reg add “HKLM \ SOFTWARE \ Wow6432Node \ Microsoft \ Office \ Common \ COM Compatibility \ {0002CE02-0000-0000-C000-000000000046}” / v “Compatibility Flags” / t REG_DWORD / d 0x400

Was this the first Microsoft Vulnerability?

No. Microsoft published its package of patches a few months ago to correct vulnerabilities in its products. The highlight of this patch is that for the first time we see a fix for a security flaw found in WSL. The subsystem that allows you to run an amount of Linux distributions on Windows.

The vulnerability (CVE-2017-8622) in WSL was in how the technology handled pipes with names used for intern process communications, thus opening the door to code execution with administrator permissions. However, to exploit it required local access to the system, so that its possible impact was minimized. Microsoft has labeled it as an escalation of privileges that affects version 1703 of Windows 10 64-bit.

Without doubt the Microsoft vulnerabilities won’t stop yet. So, the best way to stay yourself self of these failures is to update the system every time it needs. I hope for the future that all the enterprises improve IT security as much as possible to get away from hackers. But, till then, we have to wait.