When an organization like Microsoft wants to repair a safety flaw in one in all its merchandise, the method is often simple: decide the place the bug lies, change this system’s Supply Code to repair the bug, after which recompile this system. However it seems like the corporate needed to step outdoors this typical course of for one of many flaws it patched this Tuesday. As a substitute of fixing the supply code, it seems that the corporate’s builders made a sequence of cautious modifications on to the buggy program’s executable file.
Bug CVE-2017-11882 is a buffer overflow within the historical Equation Editor that comes with Workplace. The Equation Editor allocates a fixed-size piece of reminiscence to carry a Font Identify after which copies the font identify from the equation file into this piece of reminiscence. It would not, nevertheless, verify to make sure that the font identify will match into this piece of reminiscence. When supplied with a font identify that is too lengthy, the Equation Editor overflows the buffer, corrupting its personal reminiscence, and an attacker can use this to execute arbitrary malicious code.
Usually the work to repair this might be to find out the size of the font identify and create a buffer that is sufficiently big to carry it. It is a easy sufficient change to make in supply code. If that is not attainable—there are occasional conditions the place a buffer cannot simply be made larger—then the following greatest answer is to restrict the quantity of information copied to it, truncating the font identify if it is too lengthy to suit. Once more, it is a easy change to make within the supply code.
However that does not seem like what Microsoft did right here.
Evaluation of Microsoft’s patch strongly signifies that the corporate did not make modifications to the supply code in any respect. As a substitute, it seems that the flaw has been fastened by very rigorously modifying the Equation Editor executable itself. Usually when a program is modified and recompiled, there are ripple results from this compilation. Low-level features of the compiled code will change barely; the recompiled code will use registers barely otherwise, features might be positioned at completely different places in reminiscence, and so forth. However none of that’s in proof right here; side-by-side comparability of the fastened program and the unique model exhibits that it is nearly fully unaltered apart from a number of bytes in a number of features. The one method that is more likely to occur is that if the bug-fixing was carried out immediately on this system binary itself irrespective of the supply code.
It is a troublesome job to tug off. The fastened model contains an additional take a look at to ensure the font identify isn’t too lengthy, truncating it whether it is. Doing this further take a look at means including further directions to the buggy operate, however Microsoft wanted to make the repair with out making the operate any longer to make sure that different, adjoining features weren’t disturbed. To create space for the brand new size checking, the a part of this system that copied the font identify was ever so barely deoptimized, changing a quicker routine with a barely slower one, and liberating up a number of bytes within the course of.
The inspection even means that this is not the primary time that Microsoft has needed to make such fixes; a number of directions had been discovered to be unusually duplicated within the unique, damaged model of this system. This type of factor would occur if a earlier modification made this system’s code barely shorter.
A have a look at the Equation Editor’s embedded model info additionally provides clues as to why Microsoft needed to take this strategy within the first place. It is a third-party instrument, developed between 1990 and 2000 by an organization named Design Science. That firm nonetheless exists and remains to be producing equation modifying software program, but when we had been to guess, Microsoft both would not have the supply code in any respect or doesn’t have permission to make fixes to it.
Phrase these days has its personal built-in equation modifying, however Equation Editor remains to be supported for backwards compatibility to make sure that previous paperwork with embedded equations proceed to be usable. Nonetheless, we’re just a little stunned that Microsoft fastened it reasonably than eradicating it fully. It is actually a relic from one other period, coming lengthy earlier than Microsoft’s appreciable funding in secure coding practices and exploit mitigation strategies. Equation Editor lacks the entire protections present in Microsoft’s current code, making its flaws a lot simpler to use than these of, say, Phrase or Home windows. This makes it one thing of a safety legal responsibility, and we might be amazed if this font bug is the final one to be discovered.