Microsoft patched old Office vulnerability without recompiling code

According to researchers at 0patch, a leak in an old Office component has been patched in a special way. The leak was closed by modifying not the source code, but the exe. Microsoft may have lost the source code in question, but there are other explanations as well.

0patch reports that the normal process of executing a patch consists of rewriting part of the source code, after which the relevant exe file is recompiled again. That didn’t happen in this case, so someone at Microsoft modified the exe without having the source code. The authors of the 0patch blog post say they are impressed with the result and would like to get in touch with the person responsible.

They base their conclusion that the exe was manually modified based on the finding that all functions can still be found at the same address after the patch, which would not happen if a compiler had gone over it first. The file in question is eqnedt32.exe, an editor for math equations in Office software. The original exe was compiled in 2000 according to 0patch, which makes it an antique piece of software.

Last week, research by security firm Embedi showed that it is possible to create a buffer overflow in the software, which allows attackers to execute code on vulnerable systems. Reason for Microsoft to implement a patch. Why the company didn’t modify the source code and then recompile the code is unclear, there may be a licensing issue or a chance that the code is simply lost, among many other possible explanations.

The exe indicates that the copyright belongs to the company Design Science, which today develops an equation editor called MathType. According to 0patch, Microsoft cannot just remove the old editor from its software, because this causes compatibility problems.

Screenshot of the file properties