OLE Integer Overflow bug left unpatchedĭuring one of the attacks detected by the researcher, the hacking group "dropped a new variant of Java JACKSBOT, a remote access backdoor that could only be active or infect its target if Java was installed.
Once the overflow bug present in the "Object Linking and Embedding (OLE) file format and the way it’s handled in Microsoft Office Word" is triggered and the attackers leverage the Equation Editor Exploit, they can drop any malware payload after gaining administrative user rights either by chaining other vulnerabilities or by taking advantage of the victim's choice of using an account with full user rights. Consider this as a vehicle which can cloak the payload, or a stealth jet armed with any missile."Īccording to Farjon, "Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format." Mimecast's Meni Farjon, the security researcher who described the inner workings of the bug used to revive the tried-and-tested Equation Editor Exploit, told BleepingComputer that "The bug can be used to carry any payload into an OLE file, so this can be chained to pretty much any Word vulnerabilty. Overflow bug can be chained with any vulnerability
While the vulnerability was patched as part of the November 2017 Patch Tuesday, successful exploitation leads to arbitrary code run in the context of the current user, but it can also enable potential attackers to completely taking control of compromised systems if the victim is logged on with administrative user rights. Hackers used specially-crafted Microsoft Word documents during the last few months to abuse an Integer Overflow bug that helped them bypass sandbox and anti-malware solutions and exploit the Microsoft Office Equation Editor vulnerability patched 15 months ago.Īccording to Microsoft's security advisory, this memory corruption vulnerability tracked as CVE-2017-11882 impacts unpatched Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016.