How I Found 16 Microsoft Office Excel Vulnerabilities in 6 Months

In this talk, I want to share the story of how I discovered 17 Microsoft Office Excel vulnerabilities in half a year. I find these vulnerabilities by fuzzing. I will share why I pick up Microsoft Office Excel as my fuzzing target, and how to build an effective fuzzing framework step by step.

In this talk, I will share the details about how to prepare for excel fuzzing:

• • How to select fuzzing corups

• • How to choose and implement mutation algorithm

• • How to start sample and catch exceptions

• • How to triage the fuzzing results

• • How to reproduce the results

• • How to report vulnerabilities to MSRC

 I will also share some problems encountered during the fuzzing process, including:

• • How to automate clicking the dialog box that appears during the excel fuzzing process

• • How to effectively clean up the temporary files generated during the fuzzing process to reduce the size of the virtual machine

• • How to speed up execution by switching between multiple old and lastest Office versions to speed up fuzzing

• • How to adjust fuzzing strategy to speed up execution

• • How to manage the results of fuzzing and to store and classify them

With the help of the method described in this talk, after half a year, I reported more than 20 office vulnerabilities to Microsoft, and got 16 CVE acknowledgements from MSRC, including 13 remote code execution vulnerabilities and 3 information disclosure vulnerabilities.