Microsoft developer: 'Fuzzing' key to Office security

'Fuzzing' -- a method of plugging data into apps to see if and where they fail -- helps researchers sniff out potential security issues

By Gregg Keizer, Computerworld
September 21, 2007

Talkback

E-mail

Printer Friendly

Reprints

It's not an easy job, he admitted. "We shipped Office [2007] in early 2007, so mainstream support expires in early 2012. I can't possibly predict right now what the attackers are going to be doing and the techniques they'll be using in 2012. I wouldn't bet more than a beer that there won't be something in 2012 that I don't look back and go, 'Wow, I didn't see that coming'," LeBlanc said.

Fuzzing as a preventative measure
Among the ways the Office team is trying to get a step on attackers, said LeBlanc, is with stepped up fuzzing. He pointed to a presentation at last month's Black Hat security conference that described using generic algorithms to cover more code during fuzzing, a technique he said Microsoft had been working on for a couple of years.

"Right now, [the technique] is only able to exercise relatively simple network protocols like HTML, which is a lot simpler than a Word document," said LeBlanc. "Given five years, will [attackers] figure out a way to scale that? Our job is to figure out [if they will] so we can protect our customers for the life of the product."

Even the most diligent efforts, however, won't find every flaw, LeBlanc admitted. "One of the problems with fuzzing is it's really hard to say when you're done. Have you exercised the code sufficiently?"

A good example of something testing didn't spot during Office 2007's development -- not to mention the even earlier work on Office 2003 -- was the bug in Excel's file format disclosed by the July security bulletin MS07-036. The vulnerability, which existed across the Office line, from version 2000 to 2007, was, said the bulletin, "in the way Excel handles malformed Excel files." It was the first bug in a core Office 2007 application's file format.

"Something slipped through the cracks," LeBlanc acknowledged after looking over the MS07-036 advisory. "We like to stop these things, and overall, I think we did a pretty good job fuzzing Office 2007. This is the first one. It's kind of an example of why we need to continue to get smarter and apply more horsepower to this particular problem."

Bottom line, he said, is that the developers working on Office know they have to crank it up a notch. "We're going to be continuing to push the envelope to find new ways to make the product as secure as possible," LeBlanc said. "We need to get way, way out in front of those guys."

Computerworld is an InfoWorld affiliate.

« PREVIOUS PAGE | 1 | 2

Add to:

Digg

Talkback:

comment Post a Comment

MOST COMMENTS

>> Talkback: Have your say

COMPREHENSIVE DATA PROTECTION AND DISASTER RECOVERY
Traditional backup and recovery is becoming irrelevant. You need more. Watch this InfoWorld and Dell Equallogic webcast to learn the current trends in Comprehensive Data Protection and Disaster Recovery for VMware Virtual Infrastructure. Sponsored by Dell Equallogic:

» Click here to view this Webcast

The Path to Enterprise Security
This is your comprehensive guide to Enterprise Security. In it you'll find solutions to the most pressing security threats facing you and your company. Learn the latest on insider threats and how to effectively minimize risk within your organization. Sponsored by Nokia

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Jazz Meets Development in IBM Rational Team Concert - Open source. Open collaboration. Jazz. What's all the hype? This whitepaper, developed by RocketGang, an IBM Premier Business...
The Case for a Specialized Security Platform - Global business operations depend on networks that are up and running 24/7, and network security is an increasingly important...
Interaction between Nokia Intrusion Prevention and Nokia Firewall - Firewalls sometimes need to let their guard down to allow SMTP/email, FTP, SIP/VoIP calls and other protocols with minimal...
Maximizing Mobility in Communications - Learn how recent advances in wireless technology, particularly faster links and more powerful receiving devices, have greatly...
AT&T Article: Reinventing the Telephone with VoIP - After weighing Internet telephony's costs against its benefits, some managers are deciding that VoIP is vital to their organizations...
AT&T Business Continuity Survey on Risk Management - For the seventh consecutive year, AT&T surveyed 500 leading American IT executives to learn what they're doing about business...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

Microsoft developer: 'Fuzzing' key to Office security

MOST COMMENTS

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Video

Podcasts

InfoWorld Blogs

Columnists

Find Products and Companies

Resource Center

Sponsored Technology Links

Sponsored Technology Links
AT&T - New from AT&T: Discover Fixed-Mobile Convergence Now AT&T - Securing the Converged Enterprise I AT&T - An AT&T Article: When Content is King AT&T - The Spirit of Innovation: 100 IT Leaders Speak Out AT&T - Machines That Speak: The Machine-to-Machine Wireless Network AT&T - The Top 10 Best Practices for Server Virtualization Planning Rocket Gang - Jazz Meets Development in IBM Rational Team Concert Nokia - Interaction between Nokia Intrusion Prevention and Nokia Firewall Riverbed - Five Ways to Reduce IT Costs in 2009 AT&T - AT&T Article: Reinventing the Telephone with VoIP (ISC)2 - I'm an SSCP Go-To Guy. See what I do. Click here! AT&T - AT&T Business Continuity Survey on Risk Management AT&T - Maximizing Mobility in Communications Rackspace - The True Value of a Hosting Provider AMD - The Future is Fusion. Only from AMD. Learn more. Nokia - The Case for a Specialized Security Platform Intersystems - Develop and integrate faster with InterSystems Ensemble. AMD - Learn how the new Quad-Core AMD Opteron(TM) processor improves performance AT&T - Securing the Converged Enterprise II AT&T - An AT&T White Paper: Enterprise IPTV Solution HP - HP Architect Planning Tools for MS Office Communications Server 2007 HP - Best Practices for Deploying Microsoft Office SharePoint Server 2007 HP - HP ProLiant BL480c Server Blade Microsoft Exchange Server 2007 HP - HP Smart Array P800 Controller and HP MSA60 2,500 Oracle - Top 3 Ways to Cut Costs in 2009 with Oracle Content Management AMD - See the power of the new Quad-Core AMD Opteron(TM) processor ASG Software - Transform your IT Organization now! ISC2 - Network Security Solutions Guide		Infoblox - The Costs and Impacts of DNS and IP Address Management Riverbed - Virtualization Solutions Guide Armstrong - Delivering Actionable Enterprise Architecture HP - HP StorageWorks products-control, consolidation and confidence. Vision Solutions - Solving Downtime Challenges to Manufacturing and Supply Chain Operations Oracle - The Top Three Ways to Cut Costs in 2009 HP - Predict the future with HP Insight Power Manager HP - Affordable technology-no compromise. HP server solutions. Motorola - The Enterprise Mobile Messaging Benchmark Report Data Domain - IDC Workbook: Assess the Value of Deduplication for your Storage Consolidation Initiatives Vision Solutions - Real-Time, On-Demand Information for Business Intelligence and Data Integration Samsung Printing Solutions - control workflow, costs and operations Check Point - Check Point Endpoint Security White Paper Get to know - BlackBerry Professional Software-find out more Oracle - Oracle Universal Content Management Oracle - Information Workplace Platforms: Oracle vs. Microsoft Oracle - Performance Monitor: ERP at the Speed of Light Sony - Discover the advantages of Sony LTO media at sony.com/lto. Sun - Virtual Machines: Sun's xVM Virtualization Portfolio Verisign - The Latest Advancements in SSL Technology CA - Plan IT better, Manage IT better. CA - Manage your IT more effectively. Intel - Processor-enabled Virtualization. That's IT as it should be. Microsoft - Get the virtualizing power of Windows Server 2008 with Hyper-V Microsoft - Microsoft SQL Server 2008. Read Case Studies & Try for Free Microsoft - Learn about the software-based VoIP solution from Microsoft. Oracle - Nucleus Report: Who's ready for SMB? Qwest - Learn how Qwest voice and data solutions can save you time.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist TecChannel :: TecCommunity