Microsoft patched a 17-year-old remote code execution bug found in an Office executable called Microsoft Equation Editor on Tuesday 14th November 2017. The vulnerability (CVE-2017-11882) was patched as part of Microsoft’s November Patch Tuesday release of 53 fixes. While Microsoft rates the vulnerability only as “Important” in severity, security researchers who found the bug, call it extremely dangerous.
In a report released Tuesday by security firm Embedi, researchers argue the vulnerability is a threat because all version of Microsoft Office for the past 17 years are vulnerable and that the CVE works with all the Microsoft Windows versions (including Microsoft Windows 10 Creators Update). The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents. Further analysis revealed that the EQNEDT32.EXE was unsafe because when executed, it ran outside of Office and didn’t benefit from many of the Microsoft Windows 10 and Office security features such as Control Flow Guard.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street