Upset Equation Editor was killed off? Now you can tell Microsoft to go forth and multiply: App back from the dead

Micro patch rejuvenates abandoned Office add-on

By Thomas Claburn in San Francisco

Posted in Software, 16th January 2018 21:06 GMT

Microsoft Equation Editor was sentenced to death on January 9, 2018 at the age of 17, when a software update from Redmond removed five files necessary for the application to function.

Only a few months ago, the Windows giant thought its Equation Editor could be saved: its software engineers, lacking access to the ancient app's source code, fixed a security flaw in the program by manually patching the binary executable file.

Equation Editor is a stripped-down version of Data Science's MathType app that has been included as a component in Office since November 2000.

However, over the years, its blueprints were lost to Microsoft, and thus Redmond's engineers were forced to tweak bytes within the program's executable to remove the security flaw – a bog-standard buffer overflow bug. The programming blunder could be exploited by a malicious Office document to, when opened, execute arbitrary code and install malware: a booby-trapped equation in the file would be passed to the Equation Editor and trigger the overflow.

That was a hairy but necessary fix. It was sorta like going out on the wing of an airplane to fix a design fault in an engine with just a spanner, and then landing the thing in one piece. But with code. And not a multi-ton machine, 35,000 feet, gravity, and near-certain death.

Now, though, faced with the prospect of patching eight more vulnerabilities that have since surfaced in Equation Editor, Redmond's bit shufflers decided to terminate the math program completely rather than fix the coding gaffes.

Microsoft users who installed this month's Patch Tuesday software updates, and then edit previously crafted math equations in Word can expect to receive an error message, "Microsoft Equation is not available."

The tech giant's support page said customers will no longer be able to edit equations created with Equation Editor 3.0 as a result of its removal and recommends downloading a paid version of the app from MathType's current publisher, Wiris.

This is mainly of concern to those dealing with equations in files created prior to Office 2007, which includes a separate equation writing component not implicated by the security issue. Microsoft retained Equation Editor 3.0 in later versions of Office to maintain backward compatibility.

Resurrected

That isn't the end of it, however. ACROS Security, an infosec biz based in Slovenia, has bandaged and revived the dumped app with a binary-level fix of its own using its 0patch tool. Essentially, you need to restore the removed files and register Equation Editor as a local COM server, apply the ACROS fix, and you've got a working, patched math editor again in Office.

"The main purpose of 0patch has always been to help users bridge the 'security update gap,' but it can also be used for fixing functional bugs," said Mitja Kolsek, CEO of ACROS Security, in an email to The Register.

The security update gap refers to the time between the disclosure of a vulnerability and the publication of an official patch. 0patch provides a vulnerability mitigation mechanism during this period, as well as a way to revitalize abandoned code.

What makes 0patch particularly appealing for IT admins is that the 0patch Agent can fetch subsequent updates, if any are created.

The difficulty of creating binary-level code fixes varies. Kolsek said ACROS does reverse engineering to design its binary patches, but rarely attempts to decompile executables and similar files into approximate source code.

"If we have a proof-of-concept (a test case or an exploit) that triggers the vulnerability, it's generally fairly easy to write a micropatch," he said. "It naturally depends on the nature of the bug: For instance, a buffer overflow is easier to patch than a type-confusion issue, while logic or design bugs can be tricky and sometimes require 'amputation' of some functionality."

In a blog post today, Kolsek pointed to costly gear like MRI machines, and argued that people shouldn't be dependent on vendor support to determine whether they can keep using software-dependent devices.

"Clearly, Equation Editor is not a life-critical piece of equipment and seems relatively cheap to replace," he wrote. "It does, however, allow for a nice demonstration how an abandoned software product can be 'security-adopted' by a 3rd party, allowing its continued use without exposing one's environment to cheap public exploits."

Abandonware is a longstanding problem in the technology industry, one perhaps best addressed by making programming code available as open source to ensure it can be modified in the future.

With closed-source projects, while reverse engineering for interoperability is generally allowed under the DMCA in the US, there may be legal issues related to distributing patches to someone else's code.

"We're not aware of any legal issues per se," said Kolsek. "The code is still under copyright but we're not copying it." ®

Sign up to our NewsletterGet IT in your inbox daily

52 Comments

More from The Register

Microsoft Store adds ‘private audience’ apps to its Store

A velvet rope for digital tat, to help with betas, promos and maybe Windows 10 S

Microsoft wants serious, non-gaming developers to make more money

Build Planned dev deal tweak lets programmers keep 95 per cent of revenue

Even Microsoft's lost interest in Windows Phone: Skype and Yammer apps killed

Use iOS or Android, says Redmond, as telephony APIs sprout in Windows

Qualcomm, Microsoft drag apps for Win-10-on-Arm into 64-bit world

Visual Studio previews a world without 32-bit emulation

Hawaii Live-Go! Microsoft launches Honolulu admin tool for cloud and on-prem

One tool to rule them all

Microsoft starts buying speculative execution exploits

Adds bug bounty class for Meltdown and Spectre attacks on Windows and Azure

Microsoft's Azure green-lit for use by US spies

Government deal clears the way for a run at JEDI

Now that's old-school cool: Microsoft techies slap Azure Sphere IoT chip in an Altair 8800

Cloudy tech seen in oversized suit holding temperature probe

BlackBerry calls out between two worlds: Microsoft, Dynamics sandboxes walk with me

When container realms collide

Microsoft's Teams lights solitary candle, hipsters don't notice

Slacklike turns one