Microsoft Equation Editor was sentenced to death on January 9, 2018 at the age of 17, when a software update from Redmond removed five files necessary for the application to function.
Only a few months ago, the Windows giant thought its Equation Editor could be saved: its software engineers, lacking access to the ancient app's source code, fixed a security flaw in the program by manually patching the binary executable file.
Equation Editor is a stripped-down version of Data Science's MathType app that has been included as a component in Office since November 2000.
However, over the years, its blueprints were lost to Microsoft, and thus Redmond's engineers were forced to tweak bytes within the program's executable to remove the security flaw – a bog-standard buffer overflow bug. The programming blunder could be exploited by a malicious Office document to, when opened, execute arbitrary code and install malware: a booby-trapped equation in the file would be passed to the Equation Editor and trigger the overflow.
That was a hairy but necessary fix. It was sorta like going out on the wing of an airplane to fix a design fault in an engine with just a spanner, and then landing the thing in one piece. But with code. And not a multi-ton machine, 35,000 feet, gravity, and near-certain death.
Now, though, faced with the prospect of patching eight more vulnerabilities that have since surfaced in Equation Editor, Redmond's bit shufflers decided to terminate the math program completely rather than fix the coding gaffes.
Microsoft users who installed this month's Patch Tuesday software updates, and then edit previously crafted math equations in Word can expect to receive an error message, "Microsoft Equation is not available."
The tech giant's support page said customers will no longer be able to edit equations created with Equation Editor 3.0 as a result of its removal and recommends downloading a paid version of the app from MathType's current publisher, Wiris.
This is mainly of concern to those dealing with equations in files created prior to Office 2007, which includes a separate equation writing component not implicated by the security issue. Microsoft retained Equation Editor 3.0 in later versions of Office to maintain backward compatibility.
That isn't the end of it, however. ACROS Security, an infosec biz based in Slovenia, has bandaged and revived the dumped app with a binary-level fix of its own using its 0patch tool. Essentially, you need to restore the removed files and register Equation Editor as a local COM server, apply the ACROS fix, and you've got a working, patched math editor again in Office.
"The main purpose of 0patch has always been to help users bridge the 'security update gap,' but it can also be used for fixing functional bugs," said Mitja Kolsek, CEO of ACROS Security, in an email to The Register.
The security update gap refers to the time between the disclosure of a vulnerability and the publication of an official patch. 0patch provides a vulnerability mitigation mechanism during this period, as well as a way to revitalize abandoned code.
What makes 0patch particularly appealing for IT admins is that the 0patch Agent can fetch subsequent updates, if any are created.
The difficulty of creating binary-level code fixes varies. Kolsek said ACROS does reverse engineering to design its binary patches, but rarely attempts to decompile executables and similar files into approximate source code.
"If we have a proof-of-concept (a test case or an exploit) that triggers the vulnerability, it's generally fairly easy to write a micropatch," he said. "It naturally depends on the nature of the bug: For instance, a buffer overflow is easier to patch than a type-confusion issue, while logic or design bugs can be tricky and sometimes require 'amputation' of some functionality."
In a blog post today, Kolsek pointed to costly gear like MRI machines, and argued that people shouldn't be dependent on vendor support to determine whether they can keep using software-dependent devices.
"Clearly, Equation Editor is not a life-critical piece of equipment and seems relatively cheap to replace," he wrote. "It does, however, allow for a nice demonstration how an abandoned software product can be 'security-adopted' by a 3rd party, allowing its continued use without exposing one's environment to cheap public exploits."
Abandonware is a longstanding problem in the technology industry, one perhaps best addressed by making programming code available as open source to ensure it can be modified in the future.
With closed-source projects, while reverse engineering for interoperability is generally allowed under the DMCA in the US, there may be legal issues related to distributing patches to someone else's code.
"We're not aware of any legal issues per se," said Kolsek. "The code is still under copyright but we're not copying it." ®