Especially because we now offer a Microsoft Word-based tool, ARID (ACUTA Regulatory Intelligent Documents) I thought it would be important to point out a recently discovered vulnerability in Microsoft Office. The original Equation Editor — a 17-year-old component — has been shipped with all versions of Office since that point, and has been found to permit arbitrary code to be executed through the use of documents crafted with evil in mind.
For the most part, there’s nothing to panic about: There haven’t been any cases of this being released ‘in the wild,’ and Office’s Protected Mode which is activated when you open documents from external sources, will prevent such exploitation (but don’t enable full editing if you don’t trust the source of your documents).
This was reported to me through Office Watch, which has a regular email newsletter with tips and occasional previews of upcoming Office versions. It links to a 20-page PDF analysis that has enough info to help you make your own evil documents, but also how to prevent those evil documents from running — if you are familiar with Windows’ Registry Editor.
Microsoft has already issued a patch that fixes the problem — there are multiple versions based on which version of Office you are running, so I recommend having your IT team get the links from the Office Watch page.
(A tip of the hat to Tom Godwin, author of the classic SF short story “The Cold Equations“)
Photo credit M. Kemal, used under Creative Commons license