Worryingly, the 2018 CVE mentioned by Kaspersky was patched in January that year, suggesting user and/or sysadmin slackness has a part to play in the popularity of these particular problems.
Of course the MS "patch" for the equation editor simply breaks it - they DID NOT FIX IT. Apparently they don't have to code or license to do so! https://www.theregister.co.uk/2018/01/16/microsoft_equation_editor_patched/
So if you have many documents using the old-style equation editor and don't want masses of pointless work trying to re-draw them (probably introducing errors) in the somewhat more shitty new-style MS equation editor, you simply can't plug that hole.