Microsoft developer: 'Fuzzing' key to Office security

A wave of attacks targeting Microsoft's Office 2003 last year taught the company some tough security lessons it's now aggressively applying, a Microsoft software engineer said Friday.

"When Office 2003 shipped, we thought we'd done some good work and that it would be a secure product," said David LeBlanc, a senior software development engineer with the Office team. "For the first two years after release, it held up really well, only two bulletins. [But] then people shifted their tactics and started finding problems in fairly large numbers."

LeBlanc, one of the proponents of Microsoft's SDL (Security Development Lifecycle) initiative, and Michael Howard, the co-author of "Writing Secure Code for Vista," referred to the spate of attacks in 2006 that exploited numerous vulnerabilities in Office 2003's file formats. The suite's core applications -- Word, Excel, and PowerPoint -- were all patched multiple times last year.

"I can't gloss this over. You can look up the security bulletins that apply to Office 2003 yourself."

The attacks, and the flaws they exposed, not only prompted immediate patches -- and the release this week of Office 2003 Service Pack 3 (SP3) -- but pushed Microsoft to step up efforts to track down bugs before shipping code.

"We realized that fuzzing needed to be a much bigger part of what we did," said LeBlanc. "We were already on the road to doing that, but we had to do more of it, and get smarter at it."

"Fuzzing" is a process used by security researchers trolling for vulnerabilities and by developers looking for flaws in their code before it goes public. Armed with fuzzers -- automated tools that drop data into applications, file formats, or operating system components to see if, and where, they fail -- programmers stress-test software. LeBlanc calls it "exercising the code."

Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom-built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3.

The work's necessary, said LeBlanc, because of the length of time that Microsoft supports its corporate titles. "Do the math," he said. "Products are in mainstream support for five years, in extended support for another five. We're going to have to support something in the field for up to 10 years."

That led to the realization that if it was to properly protect customers, Microsoft had to do more than just react to attackers' moves. "Part of our job is to try to figure out where the attackers are going and try to get there ahead of them," LeBlanc said.

It's not an easy job, he admitted. "We shipped Office [2007] in early 2007, so mainstream support expires in early 2012. I can't possibly predict right now what the attackers are going to be doing and the techniques they'll be using in 2012. I wouldn't bet more than a beer that there won't be something in 2012 that I don't look back and go, 'Wow, I didn't see that coming'," LeBlanc said.