After the last patches of the Office equation editor, some speculation has arisen that Microsoft may have lost access to parts of its Office source code. Here’s some information.
Microsoft equation editor EQNEDT32. EXE which was included in Microsoft Office until 2007, has a a vulnerability CVE-2017-11882, which was closed on November 2017 patchday. The vulnerability was discovered this summer by researchers at Embedi. It allows silent attacks on all Microsoft Office and Windows versions of the last 17 years without user interaction.
In 2007, a new formula editor was introduced in Microsoft Office. But the files of the old formula editor EQNEDT32.EXE are still included in all Office versions, allowing users to edit equations created by the old formula editor.
Now security experts from 0patch has had a closer look at the patched equation editor. 0patch develops patches against 0-day exploits and found out, that the old and the new files are nearly equal. It’s very unusual, if you change some source code and re-compile it after years, that the compiler will create the same binary output. It is extremely unlikely that all functions in a 500 KB program file will be stored in exactly the same place.
For the experts at 0patch, there is only one logical explanation why the new version of EQNEDT32.EXE is so similar to the previous version: Microsoft developers must have manually edited the binary file themselves. For a company like Microsoft, which has version maintenance and code management, altering the binary code manually might be a no go.
And there’s another strange thing. The equation editor shows the following About dialog box. It says, that the module was last compiled in 2000. Also the message says, that the software was developed by Design Science Inc.
So this equation editor hasn’t been updated since 17 years and was exchanged in 2007 by a new editor. The conclusion: Microsoft has somehow lost access to the source code of the old formula editor. Or even worse, people at Microsoft probably never had the source code of the formula editor. You can read some details in the Bleeping Computer article.