Skip to main content

Hackers still abusing two-year-old Microsoft Office exploit

(Image credit: Image source: Shutterstock/BeeBright)

Even though Microsoft issued a patch for Office flaw CVE-2017-11882 two years ago, hackers are still exploiting the vulnerability to deliver Remote Access Trojans (RATs).

This is according to a new report from cybersecurity firm Menlo Labs, which explains the company observed multiple distinct campaigns, all targeting the same vulnerability.

The exploit takes advantage of a stack buffer overflow vulnerability in the Microsoft Equation Editor (a feature that allows users to embed a mathematical formula into any Office document). Because of how the Equation Editor executable was compiled and linked, it was not using the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features.

According to the report, cybercriminals are leveraging well known cloud security storage platforms -me, and OneDrive to host weaponised payloads. Primary targets include real estate, entertainment and banking companies located either in North America or Hong Kong.

Menlo Labs believes the campaigns are unrelated to one another, mostly because the infrastructure does not overlap, and because each campaign distributes different malware.

“The fact that CVE-2017-11882 is continuing to be exploited speaks not only to the reliability of the exploit, but to the fact that there are companies out there that are still using outdated software,” said Menlo Labs.

“Patching applications and operating systems to protect them against security issues is critical, but the shortage of cybersecurity professionals combined with the ever changing enterprise environment makes it harder for enterprises to put a proper patch management process in place.”

Sead Fadilpašić

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.