This years-old Microsoft Office vulnerability is still popular with hackers, so patch now

Despite receiving a security update in 2017, cyber criminals are still finding success with this old vulnerability for delivering malware.
Written by Danny Palmer, Senior Writer

A years-old security vulnerability in Microsoft Office is still the most frequently exploited flaw by cyber criminals as a means of delivering malware to victims.

Analysis of cyberattacks between October and December 2020 by cybersecurity researchers at HP shows that one exploit accounts for almost three-quarters of all campaigns that attempt to take advantage of known vulnerabilities.

The exploit is CVE-2017-11882, a memory corruption vulnerability in Microsoft Office's Equation Editor, which was first disclosed in December 2017. When exploited successfully, it allows attackers to execute remote code on a vulnerable machine after the victim opens the malicious document – usually sent via a phishing email – used to run the exploit, providing them with an avenue for dropping malware.

SEE: Network security policy (TechRepublic Premium)

But despite a security update being available to protect against the vulnerability for over three years, it's still the most frequent exploit used by cyber criminals to deliver malware via malicious Microsoft Office documents.

"The enduring popularity of Equation Editor exploits such as CVE-2017-11882 may be due to home users and businesses not updating to newer, patched versions of Office. We commonly see this vulnerability being exploited by attackers who distribute easily-obtainable [remote access trojans]," Alex Holland, senior malware analyst at HP Inc, told ZDNet.

The use of CVE-2017-11882 has dropped compared to the previous quarter, when it accounted for 87% of exploits used – but another vulnerability is gaining popularity, more than doubling in use in just the space of a few months.

CVE-2017-0199 is a vulnerability in Microsoft Word remote code execution, which first came to light in 2017. It allows attackers to download and execute PowerShell scripts on compromised machines, providing them with additional access.

Analysis of attacks by HP found that 22% of campaigns attempting to take advantage of unpatched exploits used CVE-2017-0199 during the past three months of 2020 – something that could've been prevented if cybersecurity teams had patched against it when a security update was released in 2017.

Email remains the key method for cyber criminals distributing malicious attachments in order to deliver malware – but there has been a slight change in the exact method of delivery.

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

Before the final quarter of 2020, malicious documents counted for just over half of files used to distribute exploits, but that dropped to just under a third. Meanwhile, the use of Excel Spreadsheets as a means of distributing exploits doubled in that period, rising from being used in one in ten instances detected to almost one in five.

"Excel appeals to attackers because it supports a legacy macro technology called Excel 4.0 or XLM. These older macros have proven more difficult to detect than their Visual Basic for Application counterparts because security tools struggle to parse them," said Holland.

But no matter the type of file that cyber attackers are attempting to use to distribute malware, there's a simple thing organisations can do to protect themselves from falling victim – apply the relevant security patches, especially if the updates have been available for many years already.


Editorial standards