Zombie Flaw Hits Microsoft Office Users: Protect Yourself Now

News
By Paul Wagenseil
published

A two-decade old security flaw is being used to attack Windows machines that haven't been properly patched. Here's how to fix this problem.

Sometimes what should be dead never truly dies. An ancient vulnerability in Microsoft Office, patched in November 2017, is still being successfully used to attack Windows systems that have never been properly updated.

Credit: Romolo Tavani/Shutterstock

(Image credit: Romolo Tavani/Shutterstock)

Hapless victims can become infected simply by opening malicious documents, which can arrive as email attachments or as downloads. Microsoft on Friday (June 7) tweeted out a series of warnings from its Security Intelligence Twitter feed that an "active malware campaign" was sending malicious email messages containing corrupted files to users in Europe.

The command-and-control server for this campaign is now offline, but it would be simple for the attackers to resume operations with a new server. Other groups have exploited the same Office flaw in the past, and it's sure to be part of an attacker's toolkit for the foreseeable future.

To make sure you're immune to this flaw, make sure your Windows 7, 8.1 or 10 machines are fully patched. Go into Windows Update and check when your latest updates were run; if it was earlier than November 2017, you're still vulnerable. Microsoft Office 2019 should not be vulnerable, but older versions of Office may be.

MORE: Best Windows Antivirus

The flaw, known only by the catalog name CVE-2017-11882, has to do with the way Office handles Rich Text Format (RTF) files and translates certain bits of code using a component called Equation Editor.

If a user of an unpatched system opens a malicious RTF file in Microsoft Word, "the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the [malware] payload," Microsoft explained Friday.

"The backdoor payload then tries to connect to a malicious domain" that, fortunately, is "currently down."

The bug dates all the way back to 2000 and the first edition of Equation Editor, which let users construct scientific and mathematical formulas in Word. A different equation editor was introduced in Office 2007, but the older Equation Editor was kept on for compatibility purposes.

Microsoft's patch of CVE-2017-11882 in November 2017 revealed to the world the existence of the longstanding flaw in Equation Editor, and attackers began using it to target unpatched systems.

As a result, Microsoft removed Equation Editor from then-supported versions of Microsoft Office (Office 2007, 2010, 2013 and 2016) with a subsequent patch in January 2018.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.