Microsoft has removed a 17-year-old Office component called the Equation Editor after researchers found an arbitrary code execution flaw in it. This is the second serious vulnerability found in the old code that was kept around for compatibility reasons.
The Microsoft Equation Editor (EQNEDT32.EXE) allows users to insert mathematical and scientific equations into Word documents. The component has remained unchanged in the company’s Office suite since November 2000 and was replaced with new functionality in Office 2007, but the old component was kept as well.
In November, Microsoft fixed a serious buffer overflow bug in the Equation Editor that allowed attackers to execute malicious code when users opened specially crafted documents. It was later discovered that, to fix the flaw, the company directly patched the binary file rather than actually making changes to the component’s source code. This unusual patching method prompted speculation that Microsoft might have lost the source code for this old component.
Since November, the EQNEDT32.EXE vulnerability, tracked as CVE-2017-11882, has been adopted by various malicious actors, including an Iranian cyberespionage group and the Cobalt hackers. As a result, more researchers have started to analyze the old component for similar flaws and, sure enough, they found another vulnerability that allows for the same kind of attack as CVE-2017-11882.
The new vulnerability, revealed Jan. 9, is called CVE-2018-0802 and was independently found and reported by researchers from Check Point Software Technologies, Qihoo 360, Tencent PC Manager and ACROS Security.
Moreover, the Check Point researchers demonstrated that it can be exploited despite Microsoft adding ASLR protection to the Equation Editor in November in an attempt to make exploitation of future flaws more difficult. As a result, Microsoft has now decided to completely remove the component.
On Jan. 9, the company fixed a total of 59 vulnerabilities in Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core and ASP.NET Core. Those include the critical Meltdown and Spectre vulnerabilities that affect most processors.
Microsoft will also deliver the Flash Player patch released by Adobe through Windows Update. That patch addresses an important information disclosure vulnerability.
According to Jimmy Graham from security vendor Qualys, system administrators should prioritize the fixes for Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754), then those for Outlook, Word and the scripting engine in browsers.
It’s worth noting that Microsoft has temporarily halted the delivery of Meltdown and Spectre patches to systems with AMD processors because they caused an unusually large number of errors, leaving computers in an unbootable state.
Also, some antivirus programs are incompatible with the patches and can cause system crashes (blue screens of death). Because of this, Microsoft will not deliver any future security updates to those computers—not just the Meltdown and Spectre patches—until those antivirus products are uninstalled or updated to a compatible version. This is determined by checking for the presence of a registry key.
Companies Should Weigh Performance vs. Security Needs for Spectre Patch
Microsoft has run tests and determined that the patches for Spectre are likely to cause a noticeable performance impact on some systems, especially on Windows servers with IO-intensive operations. As a result, it advises companies to weigh the risk for each individual system before deciding to apply the fixes.
Meltdown and Spectre are variants of a side-channel attack that targets a CPU feature called speculative execution. But while Meltdown can be mitigated through OS-level patches, one variant of Spectre requires CPU microcode updates delivered through BIOS/UEFI.
The three attack variants are technically known as Bounds Check Bypass (Spectre), Branch Target Injection (Spectre) and Rogue Data Cache Load (Meltdown).
“In general, our experience is that Variant 1 and Variant 3 mitigations have minimal performance impact, while Variant 2 remediation, including OS and microcode, has a performance impact,” Terry Myerson, the executive vice president for the Windows and Devices Group at Microsoft, said in a blog post.
More specifically, Microsoft’s tests revealed that the performance impact on Windows 10 systems with 2016-era CPUs (Skylake, Kabylake or newer) will not be noticeable and will be measurable in milliseconds. However, on Windows 10 systems with Haswell or older CPUs, some users might notice a decrease in performance. Also, on systems with such CPUs running Windows 8 and Windows 7, most users will notice a performance degradation because there are more transitions between kernel and userspace.
“Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance,” Myerson said. “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.”
In general, the security risk from Meltdown and Spectre is more serious if the Windows Server instance accepts and executes untrusted binaries or code snippets supplied by users. In that case, the patches are needed to isolate the kernel’s memory from potentially malicious applications.