A long-standing and unpatched problem in Office provides a stealthy doorway to other security problems in Office with Equation Editor already being targeted.
Mimecast discovered an undocumented behavior in OLE (Object Linking and Embedding) which is a doorway into security bugs in Office. It isn’t a security problem on its own, instead it’s a sneaky way for hackers to get into your computer without triggering the usual anti-virus protections.
The OLE integer overflow problem was found in mid-2018 and notified to Microsoft. Redmond decided not to take action because, by their very narrow definition, the OLE issue wasn’t a direct security exploit.
Now a Serbian based group is using that OLE problem to bypass many anti-virus checks and target a known and patched exploit in the old Office Equation Editor.
Equation Editor history
In late 2017 and after 17 years, Microsoft discovered a security bug in their older Equation Editor. That would have been embarrassing if Microsoft was capable of such a thing.
Even worse, it seems Microsoft didn’t have the original programming code for the Equation Editor and had to manually hack the Equation Editor program.
Even if Office / Equation Editor hasn’t been patched, anti-virus security software should be able to detect and stop infected documents before they run on a computer.
The new exploit targets organizations or users who have not updated their Office 2007 or later with security patches which fix the old Equation Editor.
The Serbian group’s trick is using the OLE issue to bypass those security scans and reach unpatched Equation Editors.
It’s possible other hackers will try the same OLE trick to fool security software and target other Office security bugs.
What to do?
There’s nothing urgent that needs patching or updating.
If you’ve updated your Office for Windows anytime in the last year then you’ll have received the fixed Equation Editor and therefore protected from any infection from that security bug – however it’s delivered to you.
Aside from that, the usual precautions apply …
Always be wary of any incoming Office documents, especially any in the older .doc .xls .ppt formats. Why Old Office Documents should be banned
Keep your anti-virus and security software up to date. For most people that means Windows Defender that comes with Windows and should be automatically updated.
What Microsoft should do
Microsoft should stop finely parsing their security rules (presumably to save money) and fix the OLE integer overflow problem.
There should not be a stealthy path into Office vulnerabilities. Safer for Microsoft’s paying customers if the OLE Integer Overflow bug gets fixed.
OLE is old technology but it’s still supplied with Office which makes it Microsoft responsibility.