A short while ago, security experts discovered the security breach CVE-2017-11882 in the Microsoft Office suite. Microsoft reacted quickly and closed the breach with a security update. Due to the publication of the exploit, however, attackers are now aware of the breach and target systems that haven’t been patched yet.

 

All Office versions besides Office 365 are affected by the security breach. The exploit is located in the Equation editor of Microsoft, which is a former version of the formula editor. It uses a buffer overflow which allows the attacker to execute his hazardous code on the user’s system. Through this, it is possible to download malware from the Internet and to install them.

 

Breach existed for 17 years

 

The Equation editor was compiled in 2000 and since then never reconditioned. Due to this, it is not fulfilling current security standards and allows a buffer overflow to happen which leads to the exploit. Even though the causing formula editor was replaced in Office 2007, it is still part of the package in order to ensure backward compatibility with older document versions, where the 17-year-old piece of software is needed to display and edit mathematical formula.

 

The only interaction necessary for the exploit to be executed is for a user to open the infected document. After that, the hazardous code will be executed automatically. Only the protected view, the so-called sandbox of the Office programs, is prohibiting its execution.

 

Hornetsecurity detects exploit in documents

 

Since the security breach was published, attackers are increasingly trying to distribute infected Office documents using the exploit. However, Hornetsecurity adapted its filters so it can detect infected documents before they appear in the mailbox. Nevertheless, we advise you to perform the security update as soon as possible.