Researchers Mistakenly Reported a Vulnerability in Office 2007, Then Looked for a New One to Save Their Jobs

by alex

The Technology section is published with the support of Favbet Tech

Исследователи по ошибке заявили об уязвимости в Office 2007, а затем искали новую, чтобы не потерять работу

Greg Linares shared a funny story on X about how he and his teammates announced a major zero-day vulnerability in Office 2007. However, it turned out that it was an error on their part. To save their reputation, their jobs, and maybe even their business, they had to go out of their way to find the real mistake. This happened in late 2006 when Linares was working with digital security firm eEye and they were testing the new Microsoft Office suite for vulnerabilities.

eEye is one of the leading threat management agencies and its task was to check whether the latest version of the office suite had any zero-day flaws. Within 36 hours of launch, Linares discovered a bug in the Word Art object conversion function. He forwarded this finding to his supervisor, Mark Meiffret, who agreed with Linares' discovery and forwarded it to the Microsoft Security Response Center (MSRC). At the same time, eEye published several press releases about the bug, and several major news outlets covered the story based on eEye's announcement.

But soon David LeBlanc, who was one of the main security experts and worked on Office 2007, noticed that the bug could only be exploited if a debugger was attached to the program. But in typical use of a software package by average users, this almost never happens. This meant that Greg Linares' discovery was a false positive, so eEye had to withdraw its ads.

By this time, Greg had been working at eEye for less than two months and was feeling devastated because his mistake could potentially cost the company its reputation and his position in the company. eEye would have to withdraw its announcement.

Online course “Illustration Basis” from Skvot. From software and basics of illustration to the first clients. Adobe Photoshop, Adobe Illustrator and Procreate. Find out how to develop a distinctive brand, find clients and evaluate your work properly. About the course

READ
Durov: Apple demands to ban some channels in Telegram for users with Ukrainian SIM cards

But Mark had another idea: Instead of retracting the press release, he told the research team to find him a new zero-day bug in Office 2007 as soon as possible. Meanwhile, eEye stalled, telling MSRC that the team had sent the wrong file and would provide an update soon.

So Linares started manually fuzzing—or accidentally inserting invalid and unexpected data—into the Office suite to try to find something. The entire research group helped him in this. None of the team left the office for several days, and their wives and partners were very worried about them. They kept trying until they found another bug to confirm their first announcement.

After four days of various attempts, the bug was finally found and reproduced – a complete overwrite of the extended instruction pointer, which allowed the team to take control of the program. Other team members began looking into the source of the bug and discovered that it affected Microsoft Publisher. After retesting the vulnerability using a debugger and a new operating system, the team confirmed the bug.

The team then reported the new vulnerability to MSRC and conducted full demonstrations of the vulnerability and confirmed their findings to the press. Microsoft then confirmed it, and after that eEye wrote an advisory message about the details of the vulnerability. The company did not have to retract its initial announcement; Greg retained his job at eEye as a security researcher and has been working in the information security industry for nearly 20 years.

Исследователи по ошибке заявили об уязвимости в Office 2007, а затем искали новую, чтобы не потерять работу

Исследователи по ошибке заявили об уязвимости в Office 2007, а затем искали новую, чтобы не потерять работу

Favbet Tech is IT a company with 100% Ukrainian DNA, which creates perfect services for iGaming and Betting using advanced technologies and provides access to them. Favbet Tech develops innovative software through a complex multi-component platform that can withstand enormous loads and create a unique experience for players. The IT company is part of the FAVBET group of companies.

You may also like

Leave a Comment