Microsoft's Patch Tuesday release for January is now available. The latest monthly cumulative update fixes 56 flaws and brings updates for Adobe Flash. More importantly, Microsoft has “fixed” a vulnerability in Office which affected the Word app.
Specifically, Word's integrated Equation Editor has been under attack because of a flaw in its security. If you are running Windows 7 and Windows 8.1, Patch Tuesday also introduced the controversial fix for the Meltdown and Spectre CPU vulnerability. Windows 10 received the same patch last week.
For Word, the app should now finally be shored up against a vulnerability that is 17 years old. Last year it was found the ancient Equation Editor tool was open to attack. First compiled in 2000, the editor was used to insert math formulas into Office documents. Since the release of Office 2017, Equation Editor has been useless, but still remained within the suite to manage for backward compatibility.
The company sent out a fix in November's Patch Tuesday, but it apparently did not work. Attackers have continued to exploit the vulnerability, which allows a hacker to execute code on a machine without the users knowing.
Microsoft has finally decided to do the right thing. Instead of fixing the flaw, the company has complete removed it from Word through Patch Tuesday. If users want to edit math equations in Word, Microsoft is pointing users towards a third-party application called MathType.
Microsoft's Word is often a source for zero-day attacks. Back in April 2017, the document editor was used to install malicious content on machines. If unwitting users opened an email containing the document, malware would be installed on their PC.
The zero-day was uncovered by security firm FireEye. The bug affects all versions of Microsoft Word and Office, including Office 2016 and Office 365 for Windows 10. Microsoft acted quickly and patched the problem during the April Patch Tuesday.