Video: Protecting the Core - Microsoft bug detectors offered bigger reward
Microsoft has patched a remote code execution bug that researchers found in remnants of a 17-year-old executable, unshielded by any of Microsoft's modern Windows 10 exploit mitigations.
Researchers at security firm Embedi found the bug in an ancient Microsoft tool called Microsoft Equation Editor, whose executable EQNEDT32.EXE was compiled in 2000 and has remained unchanged in Office ever since.
The tool was used to insert mathematical formulas into Office documents, but by Office 2007 was redundant. Embedi speculates Microsoft left it there for backwards compatibility.
Embedi used Microsoft's own BinScope tool to find the vulnerable executable. BinScope analyzes binaries to check that a project complies with Microsoft's Security Development Lifecycle (SDL).
The SDL program was born in 2002, along with Bill Gates' famous Trustworthy Computing memo, which detailed how new security initiatives would prevent a repeat of several major malware outbreaks at the time, such as the ILOVEYOU worm.
In other words, Equation Editor was built before Microsoft began building software according to the principles of SDL.
BinScope helped the researchers find the most obsolete components of the Microsoft Office 2016, and identified EQNEDT32.EXE as unsafe. Another Microsoft tool called ProcessMitigations helped illustrate how vulnerable it was, since even old exploit mitigation technologies such as DEP and ASLR were turned off in the 2000-compiled executable.
The module was also not protected by Microsoft's latest Windows 10 mitigations, such as Control Flow Guard.
"Thus, it was crystal clear that if a vulnerability were found, no security mitigation would prevent an attacker from exploiting it," Embedi says in a technical write-up.
Microsoft released a patch for the Office vulnerability, tagged as CVE-2017-11882, in yesterday's November Patch Tuesday update.
"Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software," explains Microsoft.
Attackers could use email or the web to direct the attack at a user but would need to convince a target to open the rigged file.
The bug affects all support versions of Office, from Office 2016 through to Office 2007 SP3 running on Windows 7 through to Windows 10.
Embedi created an exploit that worked against all version of Office released in the past 17 years, including Office 365, running on Windows 7, Windows 8.1, and the Windows 10 Creators Update.
They note that Office's Protected View was an obstacle as it blocks active content execution for macros and Object Linked and Embedding (OLE).
OLE is used by Equation Editor to embed data and display images in a document. But as many recent targeted attacks using Office documents have shown, social engineering can help bypass this.
Embedi's attack relied on two buffer overflows its researchers found and used several OLEs to attack the flaws and execute arbitrary commands, such as downloading a file from the internet and executing it. A convenient way to execute arbitrary code is to launch an executable file from an attacker-controlled WebDAV server, Embedi notes.
The security firm believes the component has many more easily exploitable vulnerabilities and recommends disabling it in Windows registry to prevent exploitation. However, it also notes that Office Protected View will also significantly mitigate the threat for Windows 8.1 and Windows 10.
Embedi's video explains how the vulnerability could be exploited.
Previous and related coverage
Ed Bott's extensive collection of Windows 10 tips, organized by category. This page includes the most popular tips for networking and security.
Microsoft patched 48 separate vulnerabilities - the majority of which were the highest "critical" rating.
If you're signing in to Windows 10 with a Microsoft account, you can access important settings from an online dashboard. Here are direct shortcuts to options for security and privacy, as well as a page that logs attempts to hack your Microsoft account.