Zombie Flaw Hits Microsoft Office Users: Protect Yourself Now

News
By published

A two-decade old security flaw is being used to attack Windows machines that haven't been properly patched. Here's how to fix this problem.

Sometimes what should be dead never truly dies. An ancient vulnerability in Microsoft Office, patched in November 2017, is still being successfully used to attack Windows systems that have never been properly updated.

Credit: Romolo Tavani/Shutterstock

(Image credit: Romolo Tavani/Shutterstock)

Hapless victims can become infected simply by opening malicious documents, which can arrive as email attachments or as downloads. Microsoft on Friday (June 7) tweeted out a series of warnings from its Security Intelligence Twitter feed that an "active malware campaign" was sending malicious email messages containing corrupted files to users in Europe.

The command-and-control server for this campaign is now offline, but it would be simple for the attackers to resume operations with a new server. Other groups have exploited the same Office flaw in the past, and it's sure to be part of an attacker's toolkit for the foreseeable future.

To make sure you're immune to this flaw, make sure your Windows 7, 8.1 or 10 machines are fully patched. Go into Windows Update and check when your latest updates were run; if it was earlier than November 2017, you're still vulnerable. Microsoft Office 2019 should not be vulnerable, but older versions of Office may be.

MORE: Best Windows Antivirus

The flaw, known only by the catalog name CVE-2017-11882, has to do with the way Office handles Rich Text Format (RTF) files and translates certain bits of code using a component called Equation Editor.

If a user of an unpatched system opens a malicious RTF file in Microsoft Word, "the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the [malware] payload," Microsoft explained Friday.

"The backdoor payload then tries to connect to a malicious domain" that, fortunately, is "currently down."

The bug dates all the way back to 2000 and the first edition of Equation Editor, which let users construct scientific and mathematical formulas in Word. A different equation editor was introduced in Office 2007, but the older Equation Editor was kept on for compatibility purposes.

Microsoft's patch of CVE-2017-11882 in November 2017 revealed to the world the existence of the longstanding flaw in Equation Editor, and attackers began using it to target unpatched systems.

As a result, Microsoft removed Equation Editor from then-supported versions of Microsoft Office (Office 2007, 2010, 2013 and 2016) with a subsequent patch in January 2018.

See more Computing News
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Office Software
Microsoft Office running on a laptop
Hate subscriptions? Microsoft Office 2024 is out now for a one-time fee
UPDF advertorial screenshots
UPDF exclusive deal means you can edit PDFs for less
Microsoft 365 Personal and Family office suite
All your office apps are in one spot with Microsoft 365 Personal and Family plans
how to write a blog post
How to do a hanging indent in Google Docs
how to edit a PDF on Mac
How to Insert text box in Google Docs
An image of a person using a laptop
How to change margins in Google Docs
Latest in News
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections

NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone

NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
Apple Watch Series 10

Future Apple Watch models could get a surprising new feature — what we know
See more latest
Most Popular
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
best Netflix series Community
7 best shows about college you can stream now
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
Bernie
I’m a big fan of this offbeat comedy thriller starring Jack Black — and you can stream it free on YouTube right now
Samsung S90D OLED TV on table in living room
Own a Samsung TV? 7 tips and tricks you need to know
Miracle Mile
Prime Video has one of the most unsettling apocalyptic thrillers I’ve ever watched — here's why you should stream it
Jessica Chastain and Idris Elba in Molly's Game
This gripping thriller with Jessica Chastain is leaving Netflix soon — and it’s ‘Certified Fresh’ on Rotten Tomatoes