Really, quite literally, some pretty skilled Microsoft employee or contractor reverse engineered our friend EQNEDT32.EXE, located the flawed code, and corrected it by manually overwriting existing instructions with better ones (making sure to only use the space previously occupied by original instructions).
This… This is one hell of a story. The unanswered question is why, exactly, Microsoft felt the need to do this – do they no longer have access to the source code? Has it simply become impossible to set up the correct build environment?
Amazing.
It’s probably written in a dialect of C so old that even Microsoft doesn’t have its old compiler lying around that can correctly parse and compile the thing.
Edited 2017-11-17 12:24 UTC
The editor comes from a time when Microsoft Office programs would just dump their internal memory structures into the document files.
Writing a parser and converter, where some parts would probably not be convertible 100%, would probably take more time to do this patching.
Now you would say, a sane engineering process with clean interfaces and file format specifications would have saved Microsoft all the trouble. The sad truth is, that their strategy of rushing nasty code to the marked worked quite too well for them.
The old equation editor was a licensed product – a cut down version of MathType.
Of course, the point still stands.
The entire industry has been based of rushing shipments for a long while. Microsoft were not the only ones, alas they were the most successful at pushing rushed code and still have customer bases increasing.
Yeah, there’s also “release early, release often” maxim of (also) open source…
And I remember in some news, perhaps here, that MS was commended on the pace of development of Win10, ~”almost open source-like” …so, decide already!
Don’t confuse skill of engineers with priorities of managers.
There is no real question that Microsoft couldn’t have done the proper fix, they just didn’t want to devote the necessary resources to do so.
Also, since this was a security matter, it was probably faster and easier to patch the binary. And speed is often the second most important aspect of a security fix.
How many years has that program been around? It’s been around before the Ribbon interface. They’ve had all that time to write a converter for just about any format of Office, not as any targeted security effort, but just in the course of events in making general improvements and upgrades.
But why would they rewrite an obscure piece of software for a historical format? It works. It doesn’t make economical sense to rewrite things just because.
They don’t own the source code, and probably don’t want to renegotiate a new build from the 3rdparty they bought the thing from.
A “dialect of C,” huh? You mean like C?
There was a time, not that long ago, when basically every C or C++ compiler was essentially incompatible with each other. It wasn’t until GCC, Clang, MSVC, and Intel destroyed all other compilers that there was anything resembling a single “C” language, even between those four.
If a program is written in C, and is only known to compile with a compiler from 20+ years ago, chances are it’s not written in standard C. It probably either only compiles with a certain compiler, or has a lot of #ifdefs to handle different compilers.
Most of the incompatibilities I have seen from old C code, and I have had to deal with ancient code bases at some jobs were mainly due to architectural assumptions. Other than that most of the old C code I’be seen it’s pretty portable, there was not that much to the language after all.
Was the old C code you’ve seen mostly written for Unix like OSes?
DOS C compilers added all sorts of extensions to cope with things like segmented addressing, and well, DOS. Here’s an old Dr. Dobbs article on that very subject: http://www.drdobbs.com/cpp/compiler-specific-c-extensions/184408821)
Actually it was more C99 that fixed it. Most of the compilers had many of the sanity improvements C99 would eventually contain, much earlier.
In case you didn’t notice, Microsoft C compilers from the 90s weren’t exactly standards compliant.
From the article it looks like its maybe a third party application so Microsoft may never have had access to the source code.
I remember back in the day, I was a die-hard WordPerfect fan, and the equation editor component was identical to that used in MS Office. I suspect they both licensed this component from a third-party.
EDIT: I’m seeing references on the internet that both products use a “watered down” version of this product:
http://www.mathtype.com/en/products/mathtype/default.htm
Edited 2017-11-17 15:10 UTC
Maybe they have some sophisticated AI tool that finds and corrects binary code
I think it’s more likely to be OI, or Organic Intelligence.
I’m pretty sure they have tools to look for security vulns in binaries,but patching I’m not sure of.
They think 2003 is ancient and 17 years!!! is a long time for code to hang around….
So much to learn….
Edited 2017-11-17 14:17 UTC
It looks like a company called Design Science may have created it. I found that name in the output of strings.
https://www.dessci.com/en/
As a part of a project I was involved while studying a log time ago, I had to change Borland’s C compiler executable to make it work better with hardware we were working with. Not much bytes were changed, but the compiler produced the code we needed.
The code was updated to fix third party coding that was flawed from day one. OP link has the details.
Back in the days of binary punch cards, I knew someone who would edit binary code by either punching new holes into the card or else putting “chad” back into pre-existing holes.
Yet still remaining in the defined card stream, without inserting a new one. I bet you missed the whole point.
This isn’t that crazy. If you goto http://hcl.solsector.net you can see Mario Brito’s work. He’s been patching the Wing Commander games for the last 25 years. He figured out howto insert a dll into the program’s initial loading code and can then insert his own code to modify an entire game engine without access to the source. For example: Wing Commander Prophecy shipped with Glide and DirectX support and 16-bit color. Mario has added an entire OpenGL renderer (wine now runs the game perfectly) upped the color depth to 32-bit. Expanded almost every polygon count limit and file limit in the game. Entire custom campaigns have been created based on this such as http://standoff.solsector.net
Edited 2017-11-20 19:23 UTC
You remind me of another Mario guy
Super Mario World was hacked to run a hex editor and mod loader on a unmodified Super Nintendo.
This game was also modded to have a level editor and replace it with another game while still running in memory (by the famous TASBot).
Yes, the unexpected things people did with their favorite games are crazy.