A team of information security researchers narrowly avoided disaster after a false positive claim for a zero-day vulnerability and found a real vulnerability in Office 2007 to save their company's reputation.
Team Panic
False Revelation
In late 2006, Greg Linares, while working at eEye , a digital security company, has discovered a potential bug in the Word Art conversion feature in Microsoft's new 2007 Office suite. The team announced this zero-day vulnerability and published press releases, attracting the attention of major news outlets. However, Microsoft expert David LeBlanc soon pointed out that the found error could only be used when a debugger was connected to the program, which is unlikely for ordinary users. Thus, Linares' discovery turned out to be a false positive.
Finding the real vulnerability
Instead of withdrawing the application, eEye management instructed the team to find the real vulnerability as quickly as possible a real zero-day vulnerability in Office 2007. Hard work began on manual fuzzing testing of the package, and after several days of continuous effort, a complete overwrite of the extended instruction pointer was discovered. Researchers confirmed this new vulnerability, which also affected Microsoft Publisher, through analysis and demonstrations. The information was submitted to the Microsoft Security Response Center, and an advisory with details of the vulnerability was published once it was confirmed.
Glossary
- eEye is a digital security firm focused on threat management .
- Microsoft Security Response Center (MSRC) - Microsoft Security Threat Response Center.
- Fuzzing is a software testing method that involves submitting incorrect or random data to the program input in order to detect vulnerabilities.
Links
Answers to questions
What happened in the story with Greg Linares and eEye?
How did Greg Linares and his team manage to find a real vulnerability in Microsoft Office 2007?
What were the consequences for eEye and Greg Linares after successfully discovering the vulnerability?
What role did Mark Meifret, Greg Linares' boss at eEye, play?
How did the eEye team buy time to find the real vulnerability?
Hashtags
Save a link to this article
Discussion of the topic – Finding the True Vulnerability in Office 2007: A Comical Odyssey of Cybersecurity Researchers
eEye's cybersecurity team announced it had discovered a critical vulnerability in Office 2007, but it was later revealed to be a bug. To save their reputation and their jobs, they had to go out of their way to find real vulnerability.
Latest comments
8 comments
Write a comment
Your email address will not be published. Required fields are checked *
Egor
What a story! 😲 I can imagine how worried Greg was when it turned out that his mistake was false. But it’s cool that they had a team that didn’t give up and was able to find a real vulnerability in a short time.
Marta
Yes, the adrenaline must have gone through the roof! 🥵 Well done for not giving up and saving the face of the company. In such situations, it is important to act quickly and unitedly.
Grzegorz
Can you imagine if they hadn't found a new vulnerability? 😨 This would be a blow to eEye's reputation. It’s good that the team showed endurance and ingenuity!
Klaus
It happens that you seem to have found a mistake, but in fact you haven’t 🤷♂️ The main thing is not to give up and move on. Greg and his team were great for reacting quickly and rectifying the situation. Professionalism at its best!
Dmitriy
Phew, what passion! 😰 I thought the job of a cybersecurity specialist was all about sitting at a computer. It turns out that sometimes a whole action movie unfolds here! 🤯
Franco
Well, this doesn’t happen every day 🥶 There are so many interesting things happening in cyberspace! But I once found a bug in my favorite shooter - the character, instead of shooting, started doing push-ups 🤣 It was cool!
Ivan
Hmm, here's all your newfangled digital nonsense 🙄 In my time, everything was for real: I opened a book and read, not like today's programs with endless errors! And office packages are even more terrible 💀
Magda
Oh, come on, grandfather Vanya 🧓 You yourself have probably already mastered a smartphone and YouTube 📲 Technology is progress, with or without mistakes. You just need to move with the times and not be afraid of new things! 🚀