Greg Linares shared a funny story on X about how he and his teammates announced a major zero-day vulnerability in Office 2007. However, it turned out that it was a mistake on their part. To save their reputations, their jobs, and possibly even their business, they had to scramble to find the real bug. It happened in late 2006, when Linares was working with digital security firm eEye, and they were testing the new Microsoft Office suite for vulnerabilities.
eEye is one of the leading threat management institutions, and their task was to check if the latest version of the office suite had any zero-day flaws. Within 36 hours of launch, Linares discovered a bug in the Word Art object conversion feature. He sent this finding to his supervisor, Mark Mayfair, who agreed with Linares’ discovery and sent it to the Microsoft Security Response Center (MSRC). At the same time, eEye published several press releases about the bug, and some major news outlets covered the story based on eEye’s announcement.
Im in a half passed out state, filled with delirium, pizza half in my hand barely conscious when I hear a fuzzer really hit
I spill a mountain dew code red while I come back into consciousness
— Greg Linares (Laughing Mantis) (@Laughing_Mantis) June 8, 2024
But soon David LeBlanc, who was one of the main security experts who worked on Office 2007, noticed that the bug could only be exploited if a debugger was attached to the program. But in typical use of a software package by average users, this almost never happens. This meant that Greg Linares’ discovery was a false positive, and eEye had to retract its announcement.
At the time, Greg had been with eEye for less than two months and felt devastated because his mistake could potentially cost the company its reputation and him his position at the company. eEye would have to retract its announcement.
But Mark had a different idea: instead of retracting the press release, he told the research team to find him a new zero-day bug in Office 2007 as soon as possible. In the meantime, eEye stalled, telling MSRC that the team had sent the wrong file and would provide an update soon.
So, Linares started manually fuzzing — or randomly inserting invalid and unexpected data — for the Office suite to try to find something. The whole research team helped him with this. None of the team left the office for several days, and their wives and partners were very worried about them. They continued their attempts until they found another bug to confirm their first announcement.
After four days of various attempts, they finally managed to find and reproduce the bug – a complete overwrite of the extended instruction pointer, which allowed the team to take control of the program. Other team members began looking for the source of the bug and discovered that it affected Microsoft Publisher. After retesting the vulnerability with a debugger and a new operating system, the team confirmed the bug.
The team then passed on the information about the new vulnerability to the MSRC and conducted full vulnerability demonstrations and confirmed their findings to the press. Microsoft then confirmed it, and eEye subsequently wrote an advisory about the details of the vulnerability. The company did not have to retract its initial announcement, and Greg kept his job at eEye as a security researcher and has been working in the information security industry for nearly 20 years.
Source: tomshardware
Spelling error report
The following text will be sent to our editors: