Security researchers from Anomali came across an improved version of a Rich Text Format (RTF) weaponizer used by multiple Chinese threat actors. As part of their analysis of this weaponized script, it was found that the updated version was used solely to exploit CVE-2018-0798 - a stack buffer overflow flaw in Microsoft’s Equation Editor.
The earlier version of this “Royal Road” weaponizer was used to exploit two remote code execution vulnerabilities(CVE-2017-11882, CVE-2018-0802) in the same Equation Editor. Anomali researchers suggest that the groups now relied on CVE-2018-0798 due to its ‘reliability’ in all versions of Equation Editor.
The big picture
Worth noting
The researchers indicate the reason on why threat actors opted for CVE-2018-0798 exploitation. “CVE-2017-11882 is only exploitable on an unpatched version prior to its fix, and CVE-2018-0802 is only exploitable on the version released to fix CVE-2017-11882. In contrast, a threat actor utilizing CVE-2018-0798 has a higher chance of success because it is not limited by version,” they said.
Publisher