Microsoft Office CVE-2017-11882
HIGHCVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
AnalysisAI
Remote code execution in Microsoft Office 2007-2016 via malicious documents exploiting a 17-year-old buffer overflow in the Equation Editor component (EQNEDT32.EXE). Attackers deliver weaponized Office files that execute arbitrary code when opened, requiring no macros or user interaction beyond opening the document. Confirmed actively exploited (CISA KEV) with EPSS score of 94.38% indicating widespread exploitation. Multiple public exploit frameworks available including Metasploit modules. Microsoft released patches in November 2017, but exploitation continues against unpatched systems across APT campaigns and commodity malware.
Technical ContextAI
The vulnerability resides in EQNEDT32.EXE, the legacy Equation Editor component included with Microsoft Office since Office 97. CWE-119 buffer overflow occurs when parsing specially crafted OLE objects embedded in Office documents (Word, Excel, PowerPoint). The Equation Editor uses the outdated MTEF (Mathematical Type Encoding Format) protocol which lacks proper bounds checking. Attackers embed malicious equation objects containing shellcode that triggers the overflow during document rendering. Because EQNEDT32.EXE runs as a separate process without ASLR or DEP protections, successful exploitation provides reliable code execution in the user context. The affected CPE strings cover Office 2007 SP3, 2010 SP2, 2013 SP1, and 2016 across all Windows platforms. This represents a legacy code component that Microsoft initially addressed by removing EQNEDT32.EXE entirely in January 2018 updates after patching proved insufficient.
RemediationAI
Apply Microsoft Security Update MS17-11882 released November 14, 2017 via Windows Update or download from Microsoft Update Catalog for Office 2007 (KB4011604), Office 2010 (KB4011604), Office 2013 (KB4011580), and Office 2016 (KB4011574). Microsoft subsequently released KB4011730 in January 2018 which completely removes EQNEDT32.EXE rather than patching it - this is the recommended permanent fix. Organizations unable to patch immediately should block EQNEDT32.EXE execution via AppLocker or Software Restriction Policies with the rule: deny execution of %ProgramFiles%\Microsoft Office\*\EQNEDT32.EXE and %ProgramFiles(x86)%\Microsoft Office\*\EQNEDT32.EXE. Note this breaks legitimate equation editing functionality. Email gateway scanning should flag Office documents containing embedded Equation Editor objects for manual review. Third-party micropatches from 0patch.com provide runtime protection for systems requiring equation editor functionality while awaiting official updates, though this approach trades vendor support for interim security. All compensating controls should be temporary - the only robust solution is applying KB4011730 to remove the vulnerable component entirely.
More from same product – last 7 days
{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows pat
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti
Share
External POC / Exploit Code
Leaving vuln.today