Microsoft Office: The way Microsoft writes security patches has led many software security experts to believe that the company may have lost the source code in one of the Office features.
Experts came to this conclusion this week when Microsoft fixed a security vulnerability identified as CVE-2017-11882 and affected EQNEDT32.EXE, the equation processor included in the Microsoft Office suite since 2007.
Although Microsoft replaced the old EQNEDT32.EXE component with a new one in 2007, the older file is still included in all Office installations to allow application users to load and edit equations created with the old component.
Investigators from security company Embedi discovered a flaw in this feature over the summer. The bug allowed silent attacks on all versions of Microsoft Office and Windows that were released in the last 17 years without user interaction.
While most security experts examined the Embide report (20 PDF pages) for details on the error, a specific company looked at how Microsoft fixed the error in Office.
The experts from 0patch - who manage a platform for instant distribution, application and removal of binary patches - noticed that the patched EQNEDT32.EXE file was almost identical to the old one.
"Have you ever encountered a C / C ++ compiler that put all the functions in an executable 500+ KB file at the exact same module address after compiling a modified source code, especially when those modifications resized the code into different functions?" experts ask.
When the developers modify the source code and compile a new binary file, the compiler modifies the memory addresses of the functions when the binary code is written. This creates a slightly different binary each time.
The only way the new EQNEDT32.EXE could have remained similar to the previous version would have been if Microsoft engineers had edited it manually.
A company like Microsoft, which has strong and sophisticated software and security development practices, would never consider manual binary processing acceptable. The only way this could happen is if Microsoft loses the source code of an Office component.
Embedi researchers pointed out that the age of the ingredient is what made them look for bugs.
"The exe was created on 11/9/2000", says the Embedi team.
"Without further ado, it was used in all versions of Microsoft Office. The item appears to have been developed by Design Science Inc. However, later the rights were bought by Microsoft ".
The fact that an item that comes with Office for the last 17 years has only received one update is quite strange.
Manually executing executable files to change the behavior of a binary system is considered a low-level hack, which usually causes more problems than it solves. Developers involved in such tactics usually risk destroying the entire binary. But according to 0patch, repairing EQNEDT32.EXE was a work of art.
The CVE-2017-11882 vulnerability occurred because EQNEDT32.EXE could have a fixed memory size and load a font name. If the font name was too large, it could cause the buffer to overflow, which would allow attackers to execute malicious code.
Microsoft then optimized other features as the code changes affected smaller features. So the company added bits padding to avoid confusing the settings of other nearby functions.
These efforts to prevent the EQNEDT32.EXE binary crash are time consuming and no sophisticated programmer would have done it all this way if he still had access to the source code.
In addition, Microsoft also modified the code version number manually.
All evidence suggests that Microsoft has lost access to the EQNEDT32.EXE source code.
"Keeping a software product in its binary form instead of rebuilding it from the modified source code is difficult. We can think about why Microsoft used the binary correction approach, but it seems to have done a very good job, "the team said.