Crooks can’t let go: Active attacks target Office vuln patched 8 years ago – Source: go.theregister.com

Very few people are immune to the siren song of nostalgia, a yearning for a “better time” when this was all fields and kids respected their elders – and it looks like cyber criminals are no exception.

Malware campaigns continue targeting a 2017-patched vulnerability in Microsoft Office Equation Editor software that was discontinued in 2018, according to an infosec hound at SANS Internet Storm Centre.

“One of the key messages broadcasted by security professionals is: ‘Patch, patch, and patch again,'” said security consultant Xavier Mertens said in a malware analysis posted to the today.

“But [there] are nasty vulnerabilities that remain exploited by attackers even if they are pretty old. CVE-2017-11882 is one of them: this remote code execution affects Microsoft Office and, more precisely, the good old ‘Equation Editor.’

“This tool was even killed by Microsoft due to numerous security issues. But it still remains used by attackers to spread modern malware,” he added.

CVE-2017-11882, published in November 2017, covers a remote code execution vulnerability in Microsoft Office’s Equation Editor 3.0 – allowing an attacker with a malicious document to take over any system running an affected version of Microsoft Office or WordPad.

“In an email attack scenario,” the company warned at the time, “an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”

The flaw was patched, though other issues would lead Microsoft to remove the original Equation Editor – built atop the more powerful MathType software from Data Science and retained for longer than it should have been to provide backwards compatibility – altogether in 2018, replacing it with a from-scratch successor at the cost of a loss of support for editing equations in older files.

• Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessity
• Microsoft admits it ‘cannot guarantee’ data sovereignty
• Microsoft SharePoint victim count hits 400+ orgs in ongoing attacks
• What if Microsoft just turned you off? Security pro counts the cost of dependency

As a result, no currently-supported versions of Office are vulnerable to exploitation through CVE-2017-11882 – but that isn’t stopping attackers from trying, apparently eager for a return to the bad old days of easily-exploited Swiss-cheese productivity suites.

Mertens’ write-up covers an XLAM file, a VisualBasic-enabled add-in for Microsoft Excel, masquerading as a purchase order – and containing not the excepted malicious VBA macro but an exploit targeting the long-since-shuttered Equation Editor.

If loaded into a vulnerable version of Office or WordPad, a difficult thing to do in the year 2025 unless you’re really trying, the file installs a shiny new keylogger – and you can kiss your system security goodbye.

Those still running software impacted by CVE-2017-11882 are advised to maybe not do that any more, unless you want to make a nostalgic malware author’s day a happy one. ®