Microsoft runs fuzzing botnet, finds 1,800 Office bugs
Finds, fixes huge number of Office 2010 bugs by tapping idle company PCs
Computerworld - Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said today.
Office developers found the bugs by running millions of "fuzzing" tests, said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group.
Fuzzing, a practice employed by both software developers and security researchers, searches for flaws by inserting data into file format parsers to see where programs fail by crashing. Because some crash bugs can be further exploited to successfully hack software, allowing an attacker to insert malicious code, fuzzing is of great interest to both legitimate and criminal researchers looking for security vulnerabilities.
"We found and fixed about 1,800 bugs in Office 2010's code," said Gallagher, who last week co-hosted a presentation on Microsoft's fuzzing efforts at the CanSecWest security conference in Vancouver, British Columbia. "While a large number, it's important to note that that doesn't mean we found 1,800 security issues. We also want to fix things that are not security concerns."
Gallagher declined to quantify the number of flaws found via fuzzing that qualified as vulnerabilities, saying only that the Office 2010 team did uncover security bugs in the process and patched them during development. Some of those vulnerabilities have already been addressed in older editions of Office, Gallagher added, because information obtained by fuzzing Office 2010 code was checked against the code in earlier versions -- such as Office 2007 and Office 2003 -- then patched during Office 2010's development.
Non-security bugs discovered in Office 2010 that also exist in previous editions will be fixed in those versions' upcoming service packs, Gallagher said.
Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company's labs, but also under-utilitized or idle PCs throughout the company. The concept isn't new: The Search for Extraterrestrial Intelligence (SETI@home) project may have been the first to popularize the practice, and remains the largest, but it's also been used to crunch numbers in medical research and to find the world's largest prime number.
"We call it a botnet for fuzzing," said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.
Client software installed on systems throughout Microsoft's network automatically kicks in when the PCs are idle, such as on weekends, to run fuzzing tests "We would do millions of [fuzzing] iterations each weekend," Gallagher said -- up to 12 million in some cases.
The difference between Microsoft's old way of fuzzing -- which involved a tester setting up a fuzzer on a single machine, then letting it run for as long as a week -- and DFF was dramatic, said Gallagher. "We can do 12 million iterations without a lot of effort," he said. "Set it up, go home, come in on Monday, and we have the results listing all the issues. What used to take days now just takes an hour."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts