Posted on Saturday, November 18 2017 @ 8:15 CET by Thomas De Maesschalck
An analysis of this update reveals there's something pretty interesting going on here, Microsoft did not patch the source code of this tool but made a couple of changes directly to the application's executable!
This feature is a legacy function that's still found in modern versions of Office, these days the office suite has its own built-in equation editing but the software giant is still keeping Equation Editor in there for backwards compatibility with very old documents. Microsoft patched the security vulnerabilities by changing a few bytes in a few functions, which is a very unusual move:
This is a difficult task to pull off. The fixed version includes an extra test to make sure the font name is not too long, truncating it if it is. Doing this extra test means adding extra instructions to the buggy function, but Microsoft needed to make the fix without making the function any longer to ensure that other, adjacent functions were not disturbed. To make space for the new length checking, the part of the program that copied the font name was ever so slightly deoptimized, replacing a faster routine with a slightly slower one, and freeing up a few bytes in the process.Equation Editor was developed by Design Science in the 1990s, that company still exists and is still distributing equation editing tools. ARS Technica suggests Microsoft created this unusual patch because it either doesn't have the source code of the tool or isn't allowed to make changes to it.
