7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Microsoft Equation Editor contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Microsoft Equation Editor is a component that comes with Microsoft Office. It is an out-of-process COM server that is hosted by eqnedt32.exe
. The Microsoft Equation Editor contains a stack buffer overflow vulnerability.
Memory corruption vulnerabilities in modern software are often mitigated by exploit protections, such as DEP and ASLR. More modern memory corruption protections include features like CFG. Even in a modern, fully-patched Microsoft Office 2016 system, the Microsoft Equation Editor lacks any exploit protections, however. This lack of exploit protections allows an attacker to achieve code execution more easily than if protections were in place. For example, because eqnedt32.exe
was linked without the /DYNAMICBASE flag, it will not be loaded at a randomized location by default.
Because Equation Editor is an out-of-process COM server, this also means that protections specific to any Microsoft Office application may not have an effect on this vulnerability. For example, if the exploit document is an RTF document, the document will open in Microsoft Word. However, the COM server eqnedt32.exe
is invoked by the Windows DCOM Server Process Launcher service, as opposed to Word itself. For this reason, EMET or Windows Defender Exploit Guard protections specific to the Microsoft Office programs themselves will not protect users. For this same reason, none of the Windows Defender Exploit Guard Attack Surface Reduction (ASR) protections will help either.
Windows 7 users who have EMET configured for ASLR to be “always on” at a system-wide level are protected against known exploitation techniques for this vulnerability. Starting with Windows 8.0, system-wide ASLR receives entropy for non-DYNAMICBASE code only if bottom-up ASLR is enabled on a system-wide level as well. Neither EMET nor Windows Defender Exploit Guard configures system-wide bottom-up ASLR though. Because of this, Windows 8.0 through Windows 10 systems must enable specific protections for this vulnerability.
By convincing a user to open a specially-crafted Office document, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the logged-on user.
Apply an update
This issue is addressed in CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability.
Disable Microsoft Equation Editor in Office
The vulnerable Equation Editor component can be disabled in Microsoft Office by importing the following registry values:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400
Add EMET or Windows Defender Exploit Guard protections to**eqnedt32.exe**
Exploitation of the vulnerable Equation Editor can be prevented by applying exploit mitigations to the eqnedt32.exe
executable. In particular, enabling ASLR for should be sufficient to block the code re-use attack that is outlined in the Embedi documentation.
Enable system-wide ASLR in Windows
Windows with properly-enabled system-wide ASLR (see VU#817544 for more details affecting Windows 8 and newer systems) will block known exploits for this vulnerability.
421280
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: November 15, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 5.5 | E:U/RL:OF/RC:C |
Environmental | 5.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This issue was reported by Microsoft, who in turn credit Denis Selianin of Embedi with discovery.
This document was written by Will Dormann.
CVE IDs: | CVE-2017-11882 |
---|---|
Date Public: | 2017-11-14 Date First Published: |
blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
msdn.microsoft.com/en-us/library/bb430720.aspx?f=255&MSPPError=-2147217396
msdn.microsoft.com/en-us/library/windows/desktop/ms683835(v=vs.85).aspx
msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
www.microsoft.com/en-us/download/details.aspx?id=54264
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%