As part of its monthly ‘Patch Tuesday’ updates, Microsoft yesterday released its November 2017 security patches to resolve 53 vulnerabilities across many of its products, including Windows, Office, Internet Explorer, Microsoft Edge, ASP.NET Core, .NET Core and the Chackra Core browser engine. There were no zero-day vulnerabilities fixed this time round, but the one patch that’s seemingly got everybody talking is a 17-year-old remote code execution bug (CVE-2017-11882) found in an Office executable called Microsoft Equation Editor. The bug affects all versions of Microsoft Office from the past 17 years on all Windows versions including Windows 10 Creators Update.
The bug was discovered recently by a team of cyber security experts at Embedi and was detailed in a report that was released yesterday. While the researchers described it as “extremely dangerous”, Microsoft seemed to downplay it, only describing the update as ‘important’. The Microsoft Equation Editor, which had the long-standing bug, was first released in 2000 and, was installed by default with Office 2000 and Office 2003. The application is used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents. Although it has been replaced by newer software in later versions of Office, some of the code had to be left behind for backwards compatibility with older files that used the OLE-based (EQNEDT32.EXE) equations.
The researchers are advising that everybody with MS Office installed on their systems immediately install the update and also disable EQNEDT32.EXE in the Windows registry to prevent any future problems. According to them, “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it) … Because the component has numerous security issues and the vulnerabilities it contains can be easily exploited, the best option for a user to ensure security is to disable registering of the component in Windows registry”.