Hello, welcome to the Wednesday, February 23rd, 2022 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich and I am, according, from Jacksonville, Florida.

With all the focus on patching and patching quickly, it's sometimes sad to see how apparently old vulnerabilities are still a thing

or still working well enough for attackers to actually exploit them. And Xavier did run into

an example where a malicious word document exploited the good old equation editor vulnerability from back in 2017.

So essentially, I guess, a five-year-old vulnerability.

Now, the work document here arrived sort of as a fuzzy image with a magnification class to

click on.

So essentially, the user is sort of enticed to click on that image,

which then in turn launches the equation editor

if the victim is vulnerable and does inject the malicious code,

which is essentially just a bad file that will load additional malware

from a particular IP address.

Also interesting kind of here that only an IP address is being used, not a host name.

This is something that I always tell people to watch out for any outbound connections that go to an IP address that is

not the result of a DNS resolution. First is usually suspicious with few exceptions and there are

some nice seek scripts, for example, to detect this kind of behavior. When teaching web applications security and talking about cross-site scripting, there are usually

sort of a couple points I make, but two points are that first of all, one of the most difficult

type of applications to create is a webmail application because you often have to render HTML that's delivered

as part of the email as part of the HTML webmail client.

And of course, then it's difficult to keep things straight.

This is even more difficult if you are in addition to plain HTML also attempting to render, for example, open office documents.

...