ARID

The Old Equations

Credit M. Kemal https://www.flickr.com/photos/23221002@N00/7204014842/in/photolist-bYAsCs-64RZB1-q34MyH-7QhvAS-5kBGaM-sbmQwc-8xhWdj-aQmwe2-aQmw2H-aQmw1g-7g4nCq-aQmwbp-xDxNy-aQmw4v-aQmwfn-aQmw6r-aQn6hX-FH3RYP-aQmwkn-5cXYr-4s8uCX-7eALhs-fHxKgh-6HsCtz-cMpT5h-dkAv3z-dS6ThJ-fHh26r-fHyEjj-5nJzqU-cMpT33-6DxhSz-61Pdc-ZtZM-8JXn7H-4ZUia7-sJC1j-fHgUZt-b7NQqR-5H5z6S-4GiCre-5cXYq-5Lu4yz-wgXj7z-Z1P7Jm-bnZtgV-j8EtXM-5RpyD-8TU8VK-4qqqdU

Especially because we now offer a Microsoft Word-based tool, ARID (ACUTA Regulatory Intelligent Documents) I thought it would be important to point out a recently discovered vulnerability in Microsoft Office.  The original Equation Editor — a 17-year-old component — has been shipped with all versions of Office since that point, and has been found to permit arbitrary code to be executed through the use of documents crafted with evil in mind.

For the most part, there’s nothing to panic about: There haven’t been any cases of this being released ‘in the wild,’ and Office’s Protected Mode which is activated when you open documents from external sources, will prevent such exploitation (but don’t enable full editing if you don’t trust the source of your documents).

This was reported to me through Office Watch, which has a regular email newsletter with tips and occasional previews of upcoming Office versions.  It links to a 20-page PDF analysis that has enough info to help you make your own evil documents, but also how to prevent those evil documents from running — if you are familiar with Windows’ Registry Editor.

Microsoft has already issued a patch that fixes the problem — there are multiple versions based on which version of Office you are running, so I recommend having your IT team get the links from the Office Watch page.

(A tip of the hat to Tom Godwin, author of the classic SF short story “The Cold Equations“)

Photo credit M. Kemalused under Creative Commons license

Author: Joel Finkle

Joel became embroiled in electronic submissions when regulatory came downstairs and asked "Can we convert all our clinical study reports to WordPerfect format for the FDA reviewer?" and he didn't say, "No." Since then, he's been involved with custom CANDAs, PDF publishing, eCTD, document template automation, Regulatory Information Management, HL7's RPS, and the ISO IDMP standard. He joined ACUTA in April of 2017. He'd share some of his famous tomatillo salsa with you, but he can't carry it on airplanes.

Leave a Reply

Your email address will not be published. Required fields are marked *