Microsoft Kills Old Office Equation Editor Due to New Flaw

Microsoft has removed a 17-year-old Office component called the Equation Editor after researchers found an arbitrary code execution flaw in it. This is the second serious vulnerability found in the old code that was kept around for compatibility reasons.

The Microsoft Equation Editor (EQNEDT32.EXE) allows users to insert mathematical and scientific equations into Word documents. The component has remained unchanged in the company’s Office suite since November 2000 and was replaced with new functionality in Office 2007, but the old component was kept as well.

In November, Microsoft fixed a serious buffer overflow bug in the Equation Editor that allowed attackers to execute malicious code when users opened specially crafted documents. It was later discovered that, to fix the flaw, the company directly patched the binary file rather than actually making changes to the component’s source code. This unusual patching method prompted speculation that Microsoft might have lost the source code for this old component.

Since November, the EQNEDT32.EXE vulnerability, tracked as CVE-2017-11882, has been adopted by various malicious actors, including an Iranian cyberespionage group and the Cobalt hackers. As a result, more researchers have started to analyze the old component for similar flaws and, sure enough, they found another vulnerability that allows for the same kind of attack as CVE-2017-11882.

The new vulnerability, revealed Jan. 9, is called CVE-2018-0802 and was independently found and reported by researchers from Check Point Software Technologies, Qihoo 360, Tencent PC Manager and ACROS Security.

Moreover, the Check Point researchers demonstrated that it can be exploited despite Microsoft adding ASLR protection to the Equation Editor in November in an attempt to make exploitation of future flaws more difficult. As a result, Microsoft has now decided to completely remove the component.

On Jan. 9, the company fixed a total of 59 vulnerabilities in Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core and ASP.NET Core. Those include the critical Meltdown and Spectre vulnerabilities that affect most processors.

Microsoft will also deliver the Flash Player patch released by Adobe through Windows Update. That patch addresses an important information disclosure vulnerability.

According to Jimmy Graham from security vendor Qualys, system administrators should prioritize the fixes for Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754), then those for Outlook, Word and the scripting engine in browsers.

It’s worth noting that Microsoft has temporarily halted the delivery of Meltdown and Spectre patches to systems with AMD processors because they caused an unusually large number of errors, leaving computers in an unbootable state.

Also, some antivirus programs are incompatible with the patches and can cause system crashes (blue screens of death). Because of this, Microsoft will not deliver any future security updates to those computers—not just the Meltdown and Spectre patches—until those antivirus products are uninstalled or updated to a compatible version. This is determined by checking for the presence of a registry key.

Companies Should Weigh Performance vs. Security Needs for Spectre Patch

Microsoft has run tests and determined that the patches for Spectre are likely to cause a noticeable performance impact on some systems, especially on Windows servers with IO-intensive operations. As a result, it advises companies to weigh the risk for each individual system before deciding to apply the fixes.

Meltdown and Spectre are variants of a side-channel attack that targets a CPU feature called speculative execution. But while Meltdown can be mitigated through OS-level patches, one variant of Spectre requires CPU microcode updates delivered through BIOS/UEFI.

The three attack variants are technically known as Bounds Check Bypass (Spectre), Branch Target Injection (Spectre) and Rogue Data Cache Load (Meltdown).

“In general, our experience is that Variant 1 and Variant 3 mitigations have minimal performance impact, while Variant 2 remediation, including OS and microcode, has a performance impact,” Terry Myerson, the executive vice president for the Windows and Devices Group at Microsoft, said in a blog post.

More specifically, Microsoft’s tests revealed that the performance impact on Windows 10 systems with 2016-era CPUs (Skylake, Kabylake or newer) will not be noticeable and will be measurable in milliseconds. However, on Windows 10 systems with Haswell or older CPUs, some users might notice a decrease in performance. Also, on systems with such CPUs running Windows 8 and Windows 7, most users will notice a performance degradation because there are more transitions between kernel and userspace.

“Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance,” Myerson said. “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.”

In general, the security risk from Meltdown and Spectre is more serious if the Windows Server instance accepts and executes untrusted binaries or code snippets supplied by users. In that case, the patches are needed to isolate the kernel’s memory from potentially malicious applications.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

4 thoughts on “Microsoft Kills Old Office Equation Editor Due to New Flaw

  • January 11, 2018 at 1:56 am

    the company fixed a total of 59 vulnerabilities in Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core and ASP.NET Core.

    Thanks for fixing them.
    I was also having issues in .net core ( )

  • January 11, 2018 at 8:19 am

    Is anyone else disturbed by this? This happened to me yesterday. All of a sudden, I could no longer edit my old equations. This is strike three for me: VisualBasic is no longer supported, and MathCad is incompatible with Windows 10 (and the company has no plans to make it compatible). I had been using both for over 20 years. Now I can hardly work at all. I can use the new equation tool, but it has only one font and the equations are ugly. The hacker-terrorists have won. Time to retire.

  • January 12, 2018 at 10:40 am

    I’ve been writing my paper with IEEE format for days. I need to use Microsoft Equation 3 to add equation, and now I have to edit some, but I can’t. Microsoft should have notified first before distributed this update to all Microsoft Office. Hmm..

  • Pingback: This Week’s [in]Security – Issue 42 - Control Gap | Control Gap

Comments are closed.