Fuzzing as a preventative measure
Among the ways the Office team is trying to get a step on attackers, said LeBlanc, is with stepped up fuzzing. He pointed to a presentation at last month's Black Hat security conference that described using generic algorithms to cover more code during fuzzing, a technique he said Microsoft had been working on for a couple of years.
"Right now, [the technique] is only able to exercise relatively simple network protocols like HTML, which is a lot simpler than a Word document," said LeBlanc. "Given five years, will [attackers] figure out a way to scale that? Our job is to figure out [if they will] so we can protect our customers for the life of the product."
Even the most diligent efforts, however, won't find every flaw, LeBlanc admitted. "One of the problems with fuzzing is it's really hard to say when you're done. Have you exercised the code sufficiently?"
A good example of something testing didn't spot during Office 2007's development -- not to mention the even earlier work on Office 2003 -- was the bug in Excel's file format disclosed by the July security bulletin MS07-036. The vulnerability, which existed across the Office line, from version 2000 to 2007, was, said the bulletin, "in the way Excel handles malformed Excel files." It was the first bug in a core Office 2007 application's file format.
"Something slipped through the cracks," LeBlanc acknowledged after looking over the MS07-036 advisory. "We like to stop these things, and overall, I think we did a pretty good job fuzzing Office 2007. This is the first one. It's kind of an example of why we need to continue to get smarter and apply more horsepower to this particular problem."
Bottom line, he said, is that the developers working on Office know they have to crank it up a notch. "We're going to be continuing to push the envelope to find new ways to make the product as secure as possible," LeBlanc said. "We need to get way, way out in front of those guys."
Computerworld is an InfoWorld affiliate.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
1 Recommendation
