Microsoft developer: 'Fuzzing' key to Office security

But nothing's perfect, says SDL guru David LeBlanc, who admits past slip-ups

A wave of attacks targeting Microsoft's Office 2003 last year taught the company some tough security lessons it's now aggressively applying, a Microsoft software engineer said Friday.

"When Office 2003 shipped, we thought we'd done some good work and that it would be a secure product," said David LeBlanc, a senior software development engineer with the Office team. "For the first two years after release, it held up really well, only two bulletins. But then people shifted their tactics and started finding problems in fairly large numbers."

LeBlanc, one of the proponents of Microsoft's Security Development Lifecycle (SDL) initiative, and Michael Howard, the co-author of Writing Secure Code for Vista, referred to the spate of attacks in 2006 that exploited numerous vulnerabilities in Office 2003's file formats. The suite's core applications -- Word, Excel and PowerPoint -- were all patched multiple times last year.

"I can't gloss this over. You can look up the security bulletins that apply to Office 2003 yourself."

The attacks, and the flaws they exposed, not only prompted immediate patches -- and the release this week of Office 2003 Service Pack 3 (SP3) -- but pushed Microsoft to step up efforts to track down bugs before shipping code.

"We realized that fuzzing needed to be a much bigger part of what we did," said LeBlanc. "We were already on the road to doing that, but we had to do more of it, and get smarter at it."

"Fuzzing" is a process used by security researchers trolling for vulnerabilities and by developers looking for flaws in their code before it goes public. Armed with fuzzers -- automated tools that drop data into applications, file formats or operating system components to see if, and where, they fail -- programmers stress-test software. LeBlanc calls it "exercising the code."

Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom-built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3.

The work's necessary, said LeBlanc, because of the length of time that Microsoft supports its corporate titles. "Do the math," he said. "Products are in mainstream support for five years, in extended support for another five. We're going to have to support something in the field for up to 10 years."

That led to the realization that if it was to properly protect customers, Microsoft had to do more than just react to attackers' moves. "Part of our job is to try to figure out where the attackers are going, and try to get there ahead of them," LeBlanc said.

It's not an easy job, he admitted. "We shipped Office 2007 in early 2007, so mainstream support expires in early 2012. I can't possibly predict right now what the attackers are going to be doing and the techniques they'll be using in 2012. I wouldn't bet more than a beer that there won't be something in 2012 that I don't look back and go, 'Wow, I didn't see that coming'," LeBlanc said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?