Office 2007 infosec researcher recalls panic after major bug announcement turned out to be a false positive

Greg Linares, who goes by the handle Laughing Mantis, shared a funny story on X on how he and his teammates announced a major zero-day Office 2007 vulnerability only to find that it was a mistake on their part. To save their reputation, jobs, and perhaps even the business, they had to scramble to find a real bug. This happened in late 2006, when Linares was working with digital security firm eEye, and they were testing the new Microsoft Office suite for vulnerabilities.

As eEye is one of the leading institutions in threat management, it was the company’s job to see if the latest version of one of the most widely used corporate software suites at that time had any zero-day flaws. Within 36 hours of the launch, Linares found a bug in the Word Art conversion function, which Word uses to convert old Word Art structures into modern ones for Office 2007.

He sent over this discovery to his senior, Marc Maiffret (who is now the CTO of BeyondTrust, the company that acquired eEye in 2012), who agreed with Linares’ discovery and sent it off to the Microsoft Security Response Center (MSRC). At the same time, eEye published several press releases about the bug, and some major news outlets covered the story based on eEye’s announcement…

Oops, a false positive

Shortly after the PR release and widespread news coverage, David LeBlanc, who was one of the principal security experts who worked on Office 2007, noticed that you could only exploit the bug when there was a debugger attached to the program — something that almost all average users wouldn’t have and wouldn’t work in day-to-day use of the suite. LeBlanc said, “So, about that crash… it’s only exploitable when a debugger is attached.” It meant that Greg Linares’ finding was a false positive, so eEye had to retract its announcements. Or perhaps not?

Greg had just been with eEye less than two months, and he felt devastated because his mistake could potentially cost the company its reputation. If eEye had to rescind its findings of a zero-day vulnerability in Microsoft Office, Linares’ job at the company would likely also be on the chopping block.

But Marc had a different idea: instead of retracting the press release, he told the research team to find him a new zero-day bug in Office 2007 ASAP. In the meantime, eEye killed some time by telling MSRC that the team sent the wrong file and would provide an update shortly.

So, Linares started manually fuzzing — or randomly inserting invalid and unexpected inputs — into the Office suite to try to find something. But he was not alone in his effort, the entire research team went over to him and said “We are in this together. Let’s do this.” None of the team left the office for days and their wives and partners were all worried sick about them. But they could not give up until they found another bug to back up their first announcement.

After four days of random fuzzing, an analysis toolkit, a binary decompiler, and several pizza stacks, one fuzzer made a hit — and it brought the entire team back to their senses. They ran the fuzzer again without the debugger, and it ran into the same crash: 0x4141414141, a full extended instruction pointer (EIP) overwrite that would allow the team to take control of the app.

Greg’s other teammates, Yuji and Derek, started reversing the bug to find its source and discovered it affected Microsoft Publisher, Microsoft’s desktop publishing software that wasn’t as popular as Excel, PowerPoint, or Word. After retesting the vulnerability with a debugger and on a fresh operating system, the team confirmed the bug.

The team then forwarded the vulnerability to MSRC, and it was so bad that Microsoft had to recall LeBlanc to the office to look at it. The eEye team then showed off full demos of the vulnerabilities and confirmed their findings to the press. Microsoft then responded to the team that found the issue and confirmed it. SafeInt — the portable library LeBlanc built to prevent integer overflows — wasn’t applied to the structure, which led to the vulnerability.

With MSRC confirming the issue, eEye wrote up the advisory informing everyone of the details of the vulnerability. The company didn’t have to retract its initial announcement, and Greg got to keep his job at eEye as a security researcher. Today, he has been working for more than 20 years in the information security industry and is affiliated with Huntress Labs, a cybersecurity firm that specializes in working with small and medium-sized companies.