[Infowarrior] - Microsoft runs fuzzing botnet, finds 1, 800 Office bugs

Richard Forno rforno at infowarrior.org
Thu Apr 1 12:48:07 UTC 2010 

(Talk about dual-use technologies, eh?  This is a rather innovative  
idea, I think .... even if I'm not a software security guy.  -rf)

Microsoft runs fuzzing botnet, finds 1,800 Office bugs
Finds, fixes huge number of Office 2010 bugs by tapping idle company PCs
Gregg Keizer

http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs
March 31, 2010 (Computerworld) Microsoft uncovered more than 1,800  
bugs in Office 2010 by tapping into the unused computing horsepower of  
idling PCs, a company security engineer said today.

Office developers found the bugs by running millions of "fuzzing"  
tests, said Tom Gallagher, senior security test lead with Microsoft's  
Trustworthy Computing group.

Fuzzing, a practice employed by both software developers and security  
researchers, searches for flaws by inserting data into file format  
parsers to see where programs fail by crashing. Because some crash  
bugs can be further exploited to successfully hack software, allowing  
an attacker to insert malicious code, fuzzing is of great interest to  
both legitimate and criminal researchers looking for security  
vulnerabilities.

"We found and fixed about 1,800 bugs in Office 2010's code," said  
Gallagher, who last week co-hosted a presentation on Microsoft's  
fuzzing efforts at the CanSecWest security conference in Vancouver,  
British Columbia. "While a large number, it's important to note that  
that doesn't mean we found 1,800 security issues. We also want to fix  
things that are not security concerns."

Gallagher declined to quantify the number of flaws found via fuzzing  
that qualified as vulnerabilities, saying only that the Office 2010  
team did uncover security bugs in the process and patched them during  
development. Some of those vulnerabilities have already been addressed  
in older editions of Office, Gallagher added, because information  
obtained by fuzzing Office 2010 code was checked against the code in  
earlier versions -- such as Office 2007 and Office 2003 -- then  
patched during Office 2010's development.

Non-security bugs discovered in Office 2010 that also exist in  
previous editions will be fixed in those versions' upcoming service  
packs, Gallagher said.

Microsoft was able to find such a large number of bugs in Office 2010  
by using not only machines in the company's labs, but also under- 
utilitized or idle PCs throughout the company. The concept isn't new:  
The Search for Extraterrestrial Intelligence (SETI at home) project may  
have been the first to popularize the practice, and remains the  
largest, but it's also been used to crunch numbers in medical research  
and to find the world's largest prime number.

"We call it a botnet for fuzzing," said Gallagher, referring to what  
Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The  
fuzzing network originated with work by David Conger, a software  
design engineer on the Access team.

Client software installed on systems throughout Microsoft's network  
automatically kicks in when the PCs are idle, such as on weekends, to  
run fuzzing tests "We would do millions of [fuzzing] iterations each  
weekend," Gallagher said -- up to 12 million in some cases.

The difference between Microsoft's old way of fuzzing -- which  
involved a tester setting up a fuzzer on a single machine, then  
letting it run for as long as a week -- and DFF was dramatic, said  
Gallagher. "We can do 12 million iterations without a lot of effort,"  
he said. "Set it up, go home, come in on Monday, and we have the  
results listing all the issues. What used to take days now just takes  
an hour."

While all the Office development teams use DFF, only some groups  
within the company have tried it. Currently SharePoint, MSN client and  
Fast search teams are utilizing the fuzzing network, but Windows  
developers are not.

A prominent vulnerability researcher, however, has criticized the  
fuzzing efforts of Microsoft, Apple and Adobe. Last week, Charlie  
Miller, three-time winner at the Pwn2Own hacking contest, showed  
CanSecWest attendees how he used a simple "dumb" fuzzer -- one not  
built to understand a specific file format -- to root out 20 security  
vulnerabilities and hundreds of crash bugs using fewer than five  
computers. Miller found vulnerabilities in PowerPoint, the  
presentation maker in Office, as well as in Mac OS X, Apple's Safari  
browser and Adobe's Reader.

Miller refused to turn over details of the vulnerabilities to the  
vendors, Microsoft included, but instead showed the vendors how to  
replicate his work in his own presentation. "What I can do is tell  
them how to find these bugs, and do what I did. That might get them to  
do more fuzzing," Miller said last week in an interview with  
Computerworld.

Gallagher, who sat in on Miller's presentation, didn't commit  
Microsoft to doing what Miller wanted. "We're looking at his  
technique, how to duplicate it and how we might implement it,"  
Gallagher said today.

Miller was unavailable today to comment on Microsoft's Office fuzzing  
work.

Microsoft's stepped-up fuzzing was part of a security push for Office  
2010 that also added several new features, including a more flexible  
file blocker -- first introduced in Office 2007 -- and a new sandbox  
dubbed Protected View that isolates suspicious Word, Excel and  
PowerPoint files in a limited-rights environment, effectively  
quarantining them from the rest of the PC.

"We're not banking on finding and fixing every bug in Office 2010,"  
Gallagher admitted.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers  
and general technology breaking news for Computerworld. Follow Gregg  
on Twitter at  @gkeizer or subscribe to Gregg's RSS feed. His e-mail  
address is gkeizer at ix.netcom.com.

More information about the Infowarrior mailing list