Похоже, вы здесь новенький. Чтобы принять участие, нажмите одну из кнопок ниже!
Microsoft has patched today a huge security hole in Microsoft Office that could be exploited to run malicious code without user interaction on all Windows versions released in the past 17 years.
The vulnerability — tracked as CVE-2017-11882 — was patched today in the November 2017 Patch Tuesday updates.
Vulnerability resides in the old Office equation editor
Discovered by the Embedi research team, the vulnerability affects the Microsoft Equation Editor (EQNEDT32.EXE), one of the executables that is installed on users' computers with the Office suite.
This tool, as the name obviously implies, allows users to embed mathematical equations inside Office documents as dynamic OLE objects.
Embedi discovered that Microsoft was still using a version of the EQNEDT32.EXE file that was compiled on November 9, 2000, meaning it was running on very old code that featured out-of-date libraries and did not use any of the recent security features added to Windows OS releases.
Subsequent sleuthing revealed that the component was replaced by a new equation editor in Office 2007, but Microsoft left the old one inside Office to make sure the Office software suite could open documents that featured equations made in older Office versions.
Уязвимость находится в старой версии Office equation editorCVE-2017-11882 Candidate Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability".