Microsoft has patched a 17-year-old bug hidden in its Office suite that attackers can use to execute arbitrary code on vulnerable machines.

The vulnerability resides in Microsoft Equation Editor (EQNEDT32.EXE). It’s a component that allows users to insert and edit equations into Microsoft Word documents as an Object Linking and Embedding (OLE) item. This object consists of internal data and a representative picture in the form of a formula.

Insertion and editing of equations. (Source: Embedi)

EQNEDT32.EXE was first compiled on 9 November 2000. Its relevance persisted across Microsoft Office 2000 and Microsoft 2003. A few years later, the component became outdated with Microsoft Office 2007.

Embedi’s security experts explain it is around that time that the trouble started:

“Still, it was not removed from the package, probably to ensure the software is compatible with documents of older versions. The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the office processes (e.g. WINWORD.EXE, EXCEL.EXE, etc.) do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities….”

In this absence of security mitigations, the researchers discovered a stack-based overflow flaw that an attacker could exploit to execute arbitrary code. They found the easiest way to execute arbitrary code was to launch a file from the WebDAV server controlled by an attacker. The experts also found an attacker could use OLE auto-update to exploit the vulnerability without any user interaction.

Embedi’s exploit works on all Microsoft Office versions released in the past 17 years, all Microsoft Windows versions, and all types of architectures. Below is a demonstration of the exploit for Office 2010 on Windows 7, Office 2013 on Windows 8.1, and Office (Read more...)