0patch Blog: Micropatching Brings The Abandoned Equation Editor Back To Life

Tuesday, January 16, 2018

Posted by

Mitja Kolsek

on

January 16, 2018

Micropatching Brings The Abandoned Equation Editor Back To Life

How We Security-Adopted a Terminated Software Product

by Mitja Kolsek, the 0patch Team

Intro

A few days ago Microsoft's update removed Equation Editor from Microsoft Office, the official reason being "security issues with its implementation."<br>Most Office users couldn't care less about this removal, but if you've been<br>happily using Equation Editor to edit Word documents with mathematical<br>formulas just days ago, you suddenly can't do that anymore. You will<br>still see your formulas in the document but you won't be able to edit<br>them. Instead you'll get this:

We have no idea how many users are affected, but Twitter user @glyph<br>raises an interesting point that those who work with Equation Editor<br>may be tempted to forego this Office update - and by extension all<br>future Office updates -, which will leave them vulnerable to exploits<br>published in the future.

So<br>um. My cousin, a high school math teacher, wrote all his lesson plans<br>using Equation Editor. Help him out, tweeps: is there a migration path<br>here? I promise you ten thousand math teachers will just run unpatched<br>Word forever, macros enabled and all, if not… https://t.co/iuhXeoJhWv

— glyph (@glyph) January 12, 2018

Worse even, affected users may decide to migrate back<br>to unsupported versions of Office that don't receive security updates at<br>all. This user, for instance, reports going back to Office 2000 on his<br>Windows 10 computer. Office 2000 stopped receiving security updates in<br>2009.

Microsoft suggested affected users can "edit Equation Editor 3.0 equations without security issues" with Wiris Suite's MathType, a commercial application that costs $97 ($57 academic). They did not specify the basis upon which the phrase "without security issues" was provided, but MathType seems to have a clean public security record so far. Which doesn't say much as that was also true for Equation Editor until someone opened its hood.

We<br>haven't tested MathType and can't tell how easy it is to start using it<br>instead of Equation Editor with existing Word documents, but we don't<br>particularly like the idea of suddenly deleting from users' computers a<br>tool they might be using, and sending them to a store to buy a<br>replacement.

Microsoft's unwillingness to continue supporting Equation Editor is understandable. Their manual patching of its recently discovered vulnerability<br>reveals that, for whatever reason, their standard patching process<br>cannot be applied to Equation Editor, and a deviation like that can be<br>expensive. Furthermore, while they aren't new to manually patching<br>executables, such patching can sometimes be fairly difficult to do. When<br>you patch executable files directly, you may have to come up with a<br>different clever space-saving hack for each patch, which can sometimes<br>be very difficult and time-consuming. For<br>instance, Microsoft's manual patches of Equation Editor required the<br>patch author to invent a way to get some free space in the code for<br>additional patch logic by de-optimizing a memory-copying routine.

So when Microsoft was faced with 8 (eight!)* new vulnerabilities in Equation Editor reported after their manual patch (one also reported by us), they gave up on the idea of continuing manual support for it.

We, on the other hand, haven't.

You see, it's much easier for us to create and support binary patches for a given executable module than it is for Microsoft. Why? Because we have a micropatch delivery agent (0patch Agent) that not only instantly downloads micropatches, but also injects them into running processes on the computer while automatically making room for the added code. So we don't have to invent a new way of making room for every micropatch we make, and can therefore focus on the patch itself. We also deliver our micropatches to agents every hour, and they are as trivial to revoke and un-apply as they are to apply. As much as we hate to repeat ourselves, this is how we believe security patching should look like in this century.

That said, we've already issued our micropatch for CVE-2018-0802, and it's been applied to all computers running 0patch Agent where the latest version of Equation Editor is still present. We're also teaming up with other security researchers who have found vulnerabilities in Equation Editor to micropatch those issues too. We urge everyone who finds additional security issues in Equation Editor to share their findings with us and help up create micropatches for them.

[Update 2/20/2018: We've just issued a micropatch for another Equation Editor vulnerability, CVE-2018-0798. Big thanks to the 360 Vulcan Team for their help with that!]

Bringing Equation Editor Back To Life

So you've installed Office Updates from January 9th 2018 and Equation Editor got removed from your computer. Specifically, the update...