Office Equation Editor Vulnerability

A flaw has been disclosed in all versions of Microsoft Office that allows for remote code execution. Microsoft has reported that this vulnerability is being actively exploited in the wild. As such, implementing remediation measures should be given a high priority. The vulnerability could allow a threat actor to execute files without macros via a specially crafted file, making the malicious content harder to detect. If successfully exploited on a user with administrative rights, the attacker could create new accounts, install or delete programs and view or edit data. Attacks exploiting the Office Equation Editor vulnerability can be delivered through either phishing emails or webpages hosting a malicious document. Since being made aware of the flaw, Microsoft has released a patch in their last regularly scheduled Patch Tuesday.

What we are doing about it

• The eSentire Global Blacklist blocks domains based on reputation, preventing infection from known malicious sites
• esENDPOINT will detect the anomalous behavior that occurs when a malicious document executes

What you should do about it

• After performing a business impact review, apply the January patches from Microsoft
• Controlled use of administrative privileges (exploit results in arbitrary code execution in the context of the current user)

Additional information

• The CVE ID for this vulnerability is CVE-2018-0802[1]. For a full list of affected Microsoft Office products and additional information, please see the Microsoft Security Update Guide [2].
• The Office Equation Editor vulnerability occurs when Microsoft Office software does not properly handle objects in memory. The vulnerability is mitigated in Microsoft Patch Tuesday by removing Equation Editor functionality. As such, applying the patch may affect any software that relies on this functionality.

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0802

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802