WORD EQUATION FIASCO
February 05, 2018
Every family has a skeleton in its closet, one that often remains hidden for a long time. But sooner or later, them bones will begin talking – and when they do, they will sing loudly, indicting the people behind their troubles, and revealing to the world their perfidy and failings.
For Microsoft, the latest skeleton to emerge is the technology that allows users to embed an object in a document. The embedding is done using OLE (Object Linking and Embedding), which, among other things, allows users of Microsoft Word to form equations and mathematical formulas in their documents. Hackers, researchers found, could exploit the vulnerability by sending victims specially crafted documents, getting them to open the documents using social engineering and other methods.
Because the vulnerability is hidden inside a document (as part of the file itself) the vulnerability was undetectable by anti-virus, anti-malware, sandbox, and other defensive systems – putting users at risk for an attack that, for more than a decade and a half, they had no idea was even possible. All users of Microsoft documents over the years were vulnerable to this exploit – all except those whose networks are equipped with Votiro’s Advanced Content Disarm and Reconstruction (CDR) technology, which is able to tackle various threats online by sanitizing the file before it reaches the user.
Just what is the problem with these files? According to research by security firm Embedi, an equation editor used for OLE embedding – EQNEDT32.EXE – had a serious bug that enables hackers to utilize a stack based buffer overflow to execute code remotely. Shocking enough that a large, sophisticated company like Microsoft would miss this – but even more shocking is that this bug has apparently been around for 17 years, traveling with EQNEDT32.EXE since the executable was released in 2000.
Even worse; a patch for the problem was apparently bungled by MS staff – the patch was applied to the binary directly rather than the component’s source code (rumor has it that the original source code was lost) – and as a result the original source code remained intact for backward compatibility purposes, so nothing was really solved. In the end, Microsoft was forced to retire the executable – but legacy documents are still vulnerable.
Named CVE–2017–11882, the bug allowed full remote code execution due to several missing components (ASLR/ DEP/ stack canaries protection). The bug has reportedly been used by several hacker groups, including an Iranian cyber-espionage group, which carried out its attacks after MS issued the original patch for the bug. Further tests revealed yet another, similar bug in the code called CVE-2018-0802. With the spotlight turned on EQNEDT32.EXE, the second bug was discovered independently by seven different firms, including Check Point , Qihoo 360, Tencent PC Manager and ACROS Security.
The fact that the bug is 17 years old means that millions of documents are vulnerable, and as the original code is apparently non-repairable, advice has appeared on hundreds of web sites, user forums, Twitter discussions, Facebook pages, and other venues discussing ways to protect systems from the vulnerabilities. Most of the solutions involve monkeying around with the Windows registry – recommended only for those who know their way around it, and a last resort even for them.
Because of the ubiquity of the problem, the EQNEDT32.EXE scandal is the cause of major discomfort among IT staff in many organizations – but Votiro customers could be forgiven for being ignorant of the whole mess. That’s because Votiro’s CDR technology breaks down files into distinct components and removes anything that does not match a file’s specification or calls code or connections that are not typical to the profile of the item.
Thus, an embedded OLE object that contains a vulnerability that could be exploited would be removed by CDR technology before it gets to the user. The vulnerability is extracted and the file is reconstructed without it – a fully functioning file that works the way it is supposed to, sans threat. Votiro’s CDR technology has been sanitizing equations for a long time before the whole equation fiasco broke loose, which means that our customers didn’t have to think twice before opening documents – even documents that are the “victims” of a 17 year old lapse in security by Microsoft.