Abandoned by Microsoft, Equation Editor gets “security-adopted” by micropatch pros
Last week, Microsoft did away with Equation Editor, a tool that has been part of Microsoft Office for over 17 years.
The reason behind the move? A remote code execution vulnerability actively exploited in the wild.
About Equation Editor
Equation Editor is a (mathematical) formula editor that allows users to construct math and science equations in a WYSIWYG environment.
While the software component has not been the default method of creating equations since 2007, it was still included in newer versions of MS Office in case users needed to edit an equation written in a version of Office older than 2007.
The beginning of the end for Equation Editor was when, last November, Microsoft patched its executable to plug a security hole discovered by Embedi researchers.
The patch worked to block that exploit, but soon other researchers analyzed the software and discovered that the PoC exploits they created to test the patch still worked. All in all, seven other vulnerabilities affecting the software have been reported to Microsoft since then, and the company decided to cut it from Office.
How desperate are you to get Equation Editor back?
As ACROS Security CTO Mitja Kolsek pointed out, the loss of the editor might be keenly felt by a specific subset of users who still prefer it, and they might decide to forego this and future security updates in favor of keeping the useful tool.
“Worse even, affected users may decide to migrate back to unsupported versions of Office that don’t receive security updates at all,” he says.
So, they’ve decided offer instructions on how to restore Equation Editor if users have installed the January Office updates, and to keep pushing out micropatches (in-memory software fixes) for the flaws for the time being.
Restoring Equation Editor requires a modicum of knowledge of and ease with computers, and the willingness to risk going through a procedure that is not officially supported by Microsoft and may result in unwanted side effects. For those willing to try, the step-by-step instructions are here.
Although Kolsek doubts that, in the long run, attackers will concentrate on finding and exploiting vulnerabilities in Equation Editor now that Microsoft has removed it, he’s made a point to say that they don’t recommend users restoring the software and then not installing their 0patch Agent to keep it patched against known vulnerabilities.
“You don’t want to be vulnerable to trivial inexpensive attacks that can be delivered in any Word document you ever receive,” he says.
“We’ve already issued our micropatch for CVE-2017-0802, and it’s been applied to all computers running 0patch Agent where the latest version of Equation Editor is still present. We’re also teaming up with other security researchers who have found vulnerabilities in Equation Editor to micropatch those issues too. We urge everyone who finds additional security issues in Equation Editor to share their findings with us and help us create micropatches for them.”
Effectively, the company has “security-adopted” an abandoned piece of software.
But, if all this sounds too complicated for you, you can always mourn the loss of the Equation Editor and then choose to switch to an alternative application that offers the same capability (i.e., editing Equation Editor 3.0 equations). Microsoft’s suggestion is the (paid) third-party app MathType.