17-Year-Old Vulnerability Fixed then Attacked

Tuesday, November 28, 2017 @ 03:11 PM gHale


A 17-year-old vulnerability in Microsoft Office fixed this month is now undergoing attacks from a hacking group, researchers said.

Microsoft fixed in its November Patch Tuesday a hole in the Microsoft Equation Editor (EQNEDT32.EXE) that has a case number of CVE-2017-11882.

RELATED STORIES
Attackers Hit Transit System in CA, Demand Ransom
SF Metro Victim of Ransomware
API: Finding Success from a Failure
API: Learn Who to Trust

The issue was found in a component that remained unchanged in Microsoft’s Office suite since November 9, 2000.

An Office component designed to facilitate the creation of math and science equations, the Equation Editor ended up replaced in Office 2007 with new methods of displaying and editing equations. However, the old tool continues to be part of the popular Office suite to ensure compatibility with older documents.

The vulnerability has just started being exploited by the Cobalt hacking group, said researchers at ReversingLabs in a post.

A malicious file got in touch with a remote server to grab a first-stage payload it would execute using MSHTA.exe. The executed code would then connect to the remote server to fetch a second-stage payload, a script that would drop an embedded, final payload.

This appears to be the Cobalt Strike backdoor, the group’s preferred malicious tool. The malware allows the attackers to execute remote commands on the infected systems.

Considering unpatched EQNEDT32.EXE instances put Office users at risk, regardless of the Windows version their systems run. The 17-year-old bug affected machines running Windows 10 Creators Update, which explains why hackers are already exploiting the vulnerability.

Proof-of-concept exploits for the vulnerability ended up published soon after the vulnerability became public, so there’s no surprise that Cobalt has already started targeting the bug, especially since the hacking group is known to be a fast adopter of newly discovered exploits.



Leave a Reply

You must be logged in to post a comment.