A Blast from the Past: Why a 2017 Office Flaw Still Haunts Enterprises Today
Do Son 
Under normal circumstances, software developers recommend that users promptly update to the latest version after a release. Security experts share the same stance, as updates often do more than fix bugs and add features—they may also include critical security patches.
One such case is CVE-2017-11882, a long-patched security flaw in Microsoft Office that remains widely exploitable due to many users—especially in enterprise environments—continuing to run outdated 2017 versions.
Cybersecurity consultant Xavier Mertens, during malware analysis, observed that attackers are still exploiting CVE-2017-11882 to achieve remote code execution. The flaw resides in Office Equation Editor 3.0, originally discovered in November 2017.
Exploitation is alarmingly simple: an attacker need only embed malicious code into a Word document or RTF file and deliver it to a victim—typically via email or a phishing site. Once opened, the malicious payload executes without further user interaction.
In 2018, Microsoft removed Equation Editor 3.0 entirely, replacing it with a more secure and feature-rich component. In principle, simply upgrading to the newer version renders users immune to the flaw.
Mertens highlighted a recent attack scenario in which criminals crafted a Microsoft Excel XLAM add-in supporting Visual Basic code, disguised as a purchase order. This file contained no malicious VBA macros and thus did not trigger macro warnings, but was designed to target the vulnerable Equation Editor.
When a victim downloaded and opened the file, the exploit executed and installed a test keylogger created for research purposes. This keylogger could capture all keystrokes, including credentials and other sensitive information.
While the vulnerability poses little risk to most modern users, organizations—particularly manufacturing firms—still running outdated Office versions should remain vigilant. Phishing emails masquerading as legitimate orders can easily gain trust, making such enterprises prime targets for exploitation.
Related Posts:
- FormBook Malware Spreads via Sophisticated Phishing Attack
- Microsoft is Removing PowerShell 2.0 from Windows 11
- ESET’s Warning: Windows 10 Users Urged to Switch to 11 or Linux
- Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
