Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Last November, Microsoft manually patched a remotely exploitable vulnerability (CVE-2017-11882) in Equation Editor, which is a program that lets you write a mathematical equation into a document. Our Unit 42 research team provided a detailed analysis on this vulnerability here.

Since then, Microsoft has received additional reports from multiple security vendors that turned out to be related to another vulnerability that was successfully exploited after applying Microsoft’s update – Microsoft assigned it as CVE-2018-0802 and released a fix for it in the January 2018 monthly security updates.

The vulnerability is a stack overflow bug when parsing the long font name string in a FONT record, just like CVE-2017-11882. It can be used by attackers to execute code in the security context of the logged-on user.

In this blog, we look at an RTF document which we found in the wild that exploits the new FONT record vulnerability. We first saw this sample on January 3, 2018. This means that attackers were actively exploiting the CVE-2018-0802 in a zero-day attack scenario prior to Microsoft’s patch which was only available on January 9.


Figure 1 – The attack flow as observed in the malicious sample

In Figure 1 we show the attack flow as observed in the malicious sample. First, the malicious RTF document is opened by the victim. Then, the document uses an embedded ‘package’ to drop a DLL named ‘’ to the disk, under the ‘%TEMP%’ directory. This technique was described in McAfee’s whitepaper.

Secondly, the RTF file contains two embedded equations (parsed by ‘EQNEDT32.exe’) – one for CVE-2017-11882, and another for the Font vulnerability within CVE-2018-0802. This means that the attack will work on a victim’s machine unless they have applied patches for both CVEs.

The equations exploits contain a shellcode that copies the DLL file dropped at the first stage and renames it into ‘%appdata%WordStartupw.wll’. ‘%appdata%WordStartup’ is a special directory containing plugin DLLs for Microsoft Word, which are loaded by ‘winword.exe’  each time it is launched.  This grants the malware with a persistency capability.

When ‘w.wll’ is loaded into ‘winword.exe’, it drops the actual malware payload (embedded in the DLL) into ‘%programdata%NetWorktmp.exe’ and executes it.

How Traps prevents this threat

Palo Alto Networks Traps advanced endpoint protection offers multiple methods of malware and exploit prevention to protect against such complex threats. It first prevents the malicious shellcode running in ‘EQNEDT32.exe’ using Traps exploit prevention capabilities. Secondly, Traps local analysis via machine learning prevents ‘%programdata%/NetWork/tmp.exe’ from executing. Some other samples we have observed in the wild run a command line or PowerShell commands via ‘EQNEDT32.exe’ to execute the malicious intents. Traps prevent these by child process execution restrictions.

Learn more about how Traps prevents zero-day vulnerabilities and unknown threats.

The post Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802 appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?