Prevent remote code execution by disabling Microsoft’s Equation Editor now

While many of us are looking forward to some well-earned time off, cyber attacks aren’t taking any breaks this holiday season. In late November, the Cobalt Cybercriminal Group took advantage of a 17-year-old vulnerability in Microsoft Office’s Equation Editor, the CVE-2017-11882 exploit.

The Cobalt Cybercriminal Group, which has been around since 2016, primarily targets financial organizations, often using phishing to breach networks. While previous Cobalt attacks have exploited computers across Europe and Asia, they now seem to be expanding their operations by targeting Microsoft Office users worldwide.

How Cobalt exploits this vulnerability

Microsoft Office’s Equation Editor allows Office users to create and embed mathematical equations in their documents. It’s a relatively old tool that is available in Office 2007 and older. The CVE-2017-11882 exploit enables hackers to perform remote code execution using the Equation Editor.

Shortly after Microsoft released a patch for this Equation Editor vulnerability, ReversingLabs discovered that the hacking group Cobalt was distributing a Rich Text Format (RTF) document that exploited this vulnerability. Similar to other remote code execution attacks, once downloaded on a victim’s computer, the file contacts a remote C&C server to download a series of three payloads. The final payload in Cobalt’s Equation Editor attack, called Cobalt strike backdoor, comes in both 32 and 64-bit formats, meaning it can breach any victim’s system regardless of their system’s architecture.

Two simple ways to protect yourself from this threat

Microsoft suggests that users disable the Equation Editor to stay vigilant against this potential breach, this is your first option. But disabling Equation Editor has its own consequences, so Microsoft has provided instruction on re-enabling the Equation Editor should you find you need it. If you only have a few systems that you’d like to protect, then following Microsoft’s instructions should be sufficient. However, you may need to follow the second option if you have multiple computers affected: using a tool like Desktop Central to quickly resolve this vulnerability across your entire enterprise.

In response to the Equation Editor vulnerability, Desktop Central has added a new script to its script template, “DisableEquationEditorInOffice.bat.” Installing this script will disable the Equation Editor across your entire network.

Microsoft has already addressed this problem in a November 2017 patch update, with updates KB3162047, KB4011604, KB4011262, KB4011618, and KB4011262. If you’ve already updated your systems with these latest patches from Microsoft, you should be safe. If you haven’t installed these patches yet, Desktop Central can help you resolve this vulnerability immediately using its patch management feature.

You can install patches that are specific to this vulnerability by navigating to Patch Management >> Supported Patches >> Bulletin ID. After searching for “MS17-NOV6” select all applicable bulletins and deploy them to your targeted systems.

If you’re still resolving vulnerabilities one by one, it’s high time to employ an endpoint management solution to resolve threats from a central location. If security researchers’ predictions are right, enterprises can expect to see more cyber attacks in 2018.

** Optrics Inc. is an authorized ManageEngine reseller

The original article can be found here:

Leave a Reply