Microsoft runs fuzzing botnet, finds 1,800 Office bugs

Finds, fixes huge number of Office 2010 bugs by tapping idle company PCs

Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said today.

Office developers found the bugs by running millions of "fuzzing" tests, said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group.

Fuzzing, a practice employed by both software developers and security researchers, searches for flaws by inserting data into file format parsers to see where programs fail by crashing. Because some crash bugs can be further exploited to successfully hack software, allowing an attacker to insert malicious code, fuzzing is of great interest to both legitimate and criminal researchers looking for security vulnerabilities .

"We found and fixed about 1,800 bugs in Office 2010's code," said Gallagher, who last week co-hosted a presentation on Microsoft 's fuzzing efforts at the CanSecWest security conference in Vancouver, British Columbia. "While a large number, it's important to note that that doesn't mean we found 1,800 security issues. We also want to fix things that are not security concerns."

Gallagher declined to quantify the number of flaws found via fuzzing that qualified as vulnerabilities, saying only that the Office 2010 team did uncover security bugs in the process and patched them during development. Some of those vulnerabilities have already been addressed in older editions of Office, Gallagher added, because information obtained by fuzzing Office 2010 code was checked against the code in earlier versions -- such as Office 2007 and Office 2003 -- then patched during Office 2010's development.

Non-security bugs discovered in Office 2010 that also exist in previous editions will be fixed in those versions' upcoming service packs, Gallagher said.

Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company's labs, but also under-utilitized or idle PCs throughout the company. The concept isn't new: The Search for Extraterrestrial Intelligence ( SETI@home ) project may have been the first to popularize the practice, and remains the largest, but it's also been used to crunch numbers in medical research and to find the world's largest prime number .

"We call it a botnet for fuzzing," said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.

Client software installed on systems throughout Microsoft's network automatically kicks in when the PCs are idle, such as on weekends, to run fuzzing tests "We would do millions of [fuzzing] iterations each weekend," Gallagher said -- up to 12 million in some cases.

The difference between Microsoft's old way of fuzzing -- which involved a tester setting up a fuzzer on a single machine, then letting it run for as long as a week -- and DFF was dramatic, said Gallagher. "We can do 12 million iterations without a lot of effort," he said. "Set it up, go home, come in on Monday, and we have the results listing all the issues. What used to take days now just takes an hour."

While all the Office development teams use DFF, only some groups within the company have tried it. Currently SharePoint, MSN client and Fast search teams are utilizing the fuzzing network, but Windows developers are not.

A prominent vulnerability researcher, however, has criticized the fuzzing efforts of Microsoft,Apple and Adobe. Last week, Charlie Miller, three-time winner at the Pwn2Own hacking contest, showed CanSecWest attendees how he used a simple "dumb" fuzzer -- one not built to understand a specific file format -- to root out 20 security vulnerabilities and hundreds of crash bugs using fewer than five computers. Miller found vulnerabilities in PowerPoint, the presentation maker in Office, as well as in Mac OS X, Apple's Safari browser and Adobe's Reader.

Miller refused to turn over details of the vulnerabilities to the vendors, Microsoft included, but instead showed the vendors how to replicate his work in his own presentation. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing," Miller said last week in an interview with Computerworld .

Gallagher, who sat in on Miller's presentation, didn't commit Microsoft to doing what Miller wanted. "We're looking at his technique, how to duplicate it and how we might implement it," Gallagher said today.

Miller was unavailable today to comment on Microsoft's Office fuzzing work.

Microsoft's stepped-up fuzzing was part of a security push for Office 2010 that also added several new features, including a more flexible file blocker -- first introduced in Office 2007 -- and a new sandbox dubbed Protected View that isolates suspicious Word, Excel and PowerPoint files in a limited-rights environment, effectively quarantining them from the rest of the PC.

"We're not banking on finding and fixing every bug in Office 2010," Gallagher admitted.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags exploits and vulnerabilitiesofficeMicrosoftsecuritypwn2own

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?