Greg Linares shared a funny story on X about how he and his teammates announced a major zero-day vulnerability in Office 2007. However, it turned out to be their mistake. To save their reputation, job, and maybe even business, they had to frantically search for the real bug. This happened at the end of 2006, when Linares was working with the digital security firm eEye, testing the new Microsoft Office package for vulnerabilities.
eEye is one of the leading threat management institutions, tasked with checking if the latest version of the office suite had any zero-day flaws. Within 36 hours of the launch, Linares found a bug in the Word Art object conversion function. He reported this finding to his manager Mark Maiffret, who agreed with Linares' discovery and sent it to the Microsoft Security Response Center (MSRC). At the same time, eEye issued several press releases about the bug, and some major news outlets covered the story based on eEye's announcement.
Im in a half passed out state, filled with delirium, pizza half in my hand barely conscious when I hear a fuzzer really hit
I spill a mountain dew code red while I come back into consciousness
— Greg Linares (Laughing Mantis) (@Laughing_Mantis) June 8, 2024
But soon, David LeBlanc, a top security expert working on Office 2007, noticed that the bug could only be exploited if a debugger was attached to the program. In typical use by average users, this almost never happens. This meant that Greg Linares' discovery was a false positive, so eEye had to retract their announcements.
By that time, Greg had been working at eEye for less than two months and felt devastated, as his mistake could potentially cost the company its reputation and himself his position. eEye would have to retract their announcement.
But Mark had a different idea: instead of retracting the press release, he told the research team to find a new zero-day bug in Office 2007 as soon as possible. Meanwhile, eEye stalled, informing MSRC that the team had sent the wrong file and would soon provide an update.
So, Linares started manually fuzzing — or randomly inserting invalid and unexpected data — into the Office package to try to find something. The whole research team helped him with this. None of the team members left the office for several days, and their wives and partners were very worried about them. They continued their efforts until they found another bug to confirm their initial announcement.
After four days of various attempts, they finally managed to find and reproduce the bug — a full overwrite of the extended instruction pointer, allowing the team to gain control of the program. Other team members started looking for the source of the bug and discovered that it affected Microsoft Publisher. After retesting the vulnerability with a debugger and a new operating system, the team confirmed the bug.
Then the team provided information about the new vulnerability to MSRC and conducted full vulnerability demonstrations and confirmed their findings to the press. Microsoft then confirmed it, and eEye subsequently wrote an advisory message detailing the vulnerability. The companies did not have to retract their initial announcement, Greg kept his job at eEye as a security researcher, and has been working in the information security industry for about 20 years.
Source: tomshardware
Comments (0)
There are no comments for now