New Microsoft patch round closes Office leak that allows code execution

Microsoft has fixed a total of 53 vulnerabilities in its new patch round, or Patch Tuesday, of which 25 RCE leaks. Below that is a leak in Office, which is present in the so-called equation editor.

The vulnerability in question, with attribute CVE-2017-11882, allows remote code execution, according to Microsoft, through the way Office handles memory objects. If the user of the vulnerable system is an administrator, an attacker can take over. An attack can be carried out using a malicious file created in Office or WordPad. Microsoft mentions the possibility that an attacker can get the file to a target via a link in an email, for example. There would be no active exploitation of the leak at this time.

Security firm Embedi, which discovered the vulnerability, has devoted a blog post and report to its analysis. The company looked at outdated parts of Microsoft Office, including the equation editor for editing equations in documents. The tool had a function in Office 2000 and 2003, and is actually obsolete in newer versions of the software.

Still, the tool remained for compatibility reasons, Embedi said. Researchers discovered that it was possible to cause a buffer overflow and thus achieve code execution. Use of the vulnerability only required the target to open a particular file. According to Embedi, the attack works on all Office versions and all Windows versions up to the Creators Update. Protected View protects against this method, which works through OLE objects.

Security firm Qualys writes in its analysis of the updates that Microsoft has not patched any actively attacked vulnerabilities this month and that it has not identified any of the vulnerabilities for Windows as critical. All vulnerabilities that have been patched can be found on the relevant Microsoft page. Adobe also released a large number of patches.