Office: Microsoft lost access to source code?

Microsoft Office: The way Microsoft writes security patches has led many software security experts to believe that the company may have lost the source code in one of the Office features.

Experts came to this conclusion this week when Microsoft fixed a security vulnerability identified as CVE-2017-11882 and affected EQNEDT32.EXE, the equation processor included in the Microsoft Office suite since 2007.office

Although Microsoft replaced the old EQNEDT32.EXE component with a new one in 2007, the older file is still included in all Office installations to allow application users to load and edit equations created with the old component.

Researchers from security firm Embedi discovered a flaw in this during the summer. The flaw allowed silent attacks on all versions of Microsoft Office and Windows released over the past 17 years without user interaction.

While most security experts have considered the by Embide (20 PDF pages) for details on the error, a specific company looked at how Microsoft fixed the error in Office.

Experts from 0patch - who manage a platform for direct distribution, application and removal of binary patches - noticed that the patched EQNEDT32.EXE file was almost identical to the old one.

"Have you ever encountered a C / C ++ compiler that put all the functions in an executable 500+ KB file at the exact same module address after compiling a modified source code, especially when these modifications resized the code into different functions?" experts ask.

When developers modify the source code and compile a new binary file, the compiler modifies the memory addresses of the functions when the binary code is written. This creates a slightly different binary each time.

The only way the new EQNEDT32.EXE could have remained similar to the previous version would have been if Microsoft engineers had edited it manually.

A company like Microsoft, which has strong and sophisticated software and security development practices, would never consider manual binary processing acceptable. The only way this can happen is if Microsoft loses the source code of an Office component.

Embedi researchers pointed out that the age of the ingredient is what made them look for bugs.

"The exe was created on 11/9/2000", says the Embedi team.

"Without further ado, it was used in all versions of Microsoft Office. The item appears to have been developed by Design Science Inc. However, later the rights were bought by Microsoft ".

The fact that an item that comes with Office for the last 17 years has only received one update is quite strange.

Manually editing executables to change the behavior of a binary is considered low-level hacking, which usually causes more problems than it solves. Developers who engage in such tactics usually risk breaking the entire binary. But according to , but fixing EQNEDT32.EXE was a work of art.

CVE-2017-11882 vulnerability occurred because EQNEDT32.EXE could have a fixed memory size and load a font. If the font name was too long, it could cause a buffer overflow which would allow attackers to execute malicious code.

Microsoft then optimized other features as the code changes affected smaller features. So the company added bits padding to avoid confusing the settings of other nearby functions.

These efforts to avoid corrupting the EQNEDT32.EXE binary are time consuming and no sane programmer would have gone all this way if they still had in the source code.

In addition, Microsoft also modified the code version number manually.

All evidence suggests that Microsoft has lost access to the EQNEDT32.EXE source code.

"Keeping a software product in its binary form instead of rebuilding it from the modified source code is difficult. We can think about why Microsoft used the binary correction approach, but it seems to have done a very good job, "the team said.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).