Vulnerability Note VU#421280
Microsoft Office Equation Editor stack buffer overflow
Microsoft Equation Editor contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Microsoft Equation Editor is a component that comes with Microsoft Office. It is an out-of-process COM server that is hosted by eqnedt32.exe. The Microsoft Equation Editor contains a stack buffer overflow vulnerability.
Memory corruption vulnerabilities in modern software are often mitigated by exploit protections, such as DEP and ASLR. More modern memory corruption protections include features like CFG. Even in a modern, fully-patched Microsoft Office 2016 system, the Microsoft Equation Editor lacks any exploit protections, however. This lack of exploit protections allows an attacker to achieve code execution more easily than if protections were in place. For example, because eqnedt32.exe was linked without the /DYNAMICBASE flag, it will not be loaded at a randomized location by default.
By convincing a user to open a specially-crafted Office document, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the logged-on user.
Apply an update
Disable Microsoft Equation Editor in Office
Add EMET or Windows Defender Exploit Guard protections to eqnedt32.exe
Exploitation of the vulnerable Equation Editor can be prevented by applying exploit mitigations to the eqnedt32.exe executable. In particular, enabling ASLR for should be sufficient to block the code re-use attack that is outlined in the Embedi documentation.
Enable system-wide ASLR in Windows
Windows with properly-enabled system-wide ASLR (see VU#817544 for more details affecting Windows 8 and newer systems) will block known exploits for this vulnerability.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||15 Nov 2017|
CVSS Metrics (Learn More)
This issue was reported by Microsoft, who in turn credit Denis Selianin of Embedi with discovery.
This document was written by Will Dormann.
- CVE IDs: CVE-2017-11882
- Date Public: 14 Nov 2017
- Date First Published: 15 Nov 2017
- Date Last Updated: 20 Nov 2017
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.