The presentation discusses the process of finding vulnerabilities in Excel Online and the potential for exploiting its formulas. It also touches on the limitations of detection capabilities and the rarity of one-shot exploits.
- Excel Online is a server running in an IS server that contains most of Excel desktop core functionalities, making it vulnerable to bugs affecting desktop Excel
- Finding a bug in Excel Online requires careful consideration of mitigations and the type of bug being sought
- One-shot exploits that bypass all mitigations are rare, with most exploits targeting web browsers or kernel APIs
- Detection capabilities for deeply malicious Excel formulas are limited
The speaker shares their experience of exploiting Excel in their previous job and their curiosity to see if they could find a bug in Excel Online using Microsoft resources. They also mention the rarity of one-shot exploits and give an example of Chris Evans' exploit targeting an image format that bypassed all mitigations.