Microsoft Fuzzing Botnet Finds 1,800 Office Bugs

CWmike writes "Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said on Wednesday. Office developers found the bugs by running millions of 'fuzzing' tests, a practice employed by both software developers and security researchers, that searches for flaws by inserting data into file format parsers to see where programs fail by crashing. 'We found and fixed about 1,800 bugs in Office 2010's code,' said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group, who last week co-hosted a presentation on Microsoft's fuzzing efforts at the CanSecWest security conference. 'While a large number, it's important to note that that doesn't mean we found 1,800 security issues. We also want to fix things that are not security concerns.'"

xkydgtufhlofhil

ghulkgiplgbvihlnk luioguilgil.bjohj110-o; Huto;bn

Re:xkydgtufhlofhil

[troll8901]

ghulkgiplgbvihlnk luioguilgil.bjohj110-o; Huto;bn

I don't understand this Score:4 Insightful comment. Can someone explain?

Re:xkydgtufhlofhil

[sucker_muts]

don't understand this Score:4 Insightful comment. Can someone explain?

Even though your name does look quite suspicious, I'll try to explain anyway.

The parent is showing how fuzzing works:
Using random 'data' to test the various functions of software, so we can find out if a certain piece of input triggers undesirable behavior.

In this case you could say that he's not only giving an example, but is testing the slashdot user comments code as well.

But it's perhaps more an attempt at humor. :-)

Re:xkydgtufhlofhil

[msclrhd]

Fuzzing is a technique where you modify the data sent to a file, protocol or data parser (e.g. code that reads an xml file) by changing random bits. Thus, if you have a 'text' command, a fuzzer could change that to 'next', or if you have a quoted striing "test", the fuzzer could change the end quote to something else, e.g. ' "tests '.

Hence, what you can end up with is something that looks like random garbage.

Re:xkydgtufhlofhil

Windows: "It's not a bug, it's a feature."

GNOME: "It's not a bug, it's a design decision."

Re:xkydgtufhlofhil

[jackal40]

Well color me red, here I thought this kind of testing should have been done prior to release. Guess the new model of software development is to have the users discover the bugs (can I get a smiley on this) instead of paying a QA team to test.

Re:xkydgtufhlofhil

[TimSSG]

COREL: It's not a bug. It's a WAD (Works as Designed). Tim S.

Re:xkydgtufhlofhil

Apple: It's not a bug. would you like to pay more?

Re:xkydgtufhlofhil

[jonadab]

Except that, in most cases, random letters in the ranges a-z and A-Z are not where you're going to find most of your problems. The major sources of bugs that can be uncovered by random data are assumptions that programmers (sometimes subconsciously) make about what the data are going to be like.

The most obvious of these are assumptions like "a newline can't occur in a single-line field" (a mistake web developers often make, because they assume the data are coming from an HTML input element that only allows single-line data; but an attacker can in fact send anything they want in an http request), or "nobody's going to have a single-quote character in their name" (hello, SQL injection attack). This sort of thing is probably not a major factor in Office, because it's common for documents to have those kinds of characters in them. There might be a couple of weird old control characters (like the ASCII NUL, 000), but those bugs were probably found aeons ago.

A second major category of problematic assumptions assumptions has to do with languages and code pages and character sets. When software that was written to assume a particular character set (like ASCII, or Latin-1) or even just one code page at a time (like, whichever one is the system default) has to be extended to support more (like, especially, Unicode), you run into all kinds of nasties. Again, though, Office probably had to deal with these issues a couple of versions ago. They may have found a few more, but at this point it's probably not the most fertile ground any more.

When you're dealing with file formats, however, there are also things like "the value at offset 0x003C from the beginning of the object header contains the size of the object, which can never be more than 0xFFFF" and "an object can embed another object by referencing it, but there are never any circular references, because the software doesn't allow the user to put an object inside itself". These sorts of assumptions pop up every time you write or change code that reads a file format, so they never go away really. This sort of thing is probably *most* of what the Office team found, I suspect.

Re:xkydgtufhlofhil

Mozilla: "It's not a bug, it's a feature."

Re:xkydgtufhlofhil

[jank1887]

somewhat relevant xkcd:

Exploits of a Mom
http://xkcd.com/327/

Re:xkydgtufhlofhil

[elronxenu]

Linux: "It's not a bug, not any more."

Re:xkydgtufhlofhil

[troll8901]

Even though your name does look quite suspicious, I'll try to explain anyway.

Thank you for your explanation.
And your benefit of the doubt.

Re:xkydgtufhlofhil

[mobby_6kl]

>In this case you could say that he's not only giving an example, but is testing the slashdot user comments code as well.

It's testing not just the user comments code, but also the moderation system code and the moderators themselves. In this case, it appears that he found a bug which causes the comment to be moderated Insightful by providing a certain combination of random characters as input. I will now attempt to replicate this problem.

______TEST DATA FOLLOWS______
TvaHokVAwgZGLrzPnDsIzHnKwuOOQEgaFskFJx-9JH@eIbwWSYhujyXDekeBP-9YQlfiZtdOZXlupfvy
UYXenTsWzzF#SScvbvWXtMMcbMg@xIsRC!OiViEDnt-9fQRGXEgvbfdlBATolRyiVYmcKyHi-9bLVcYx
JrPmw

Re:xkydgtufhlofhil

[Helen+O'Boyle]

"nobody's going to have a single-quote character in their name" (hello, SQL injection attack)

Hey, I resemble that remark! And yes, it's resulted in chuckles over the years. Microsoft, DevelopMentor, random e-commerce sites... many have fallen to the Irish. When talking to security professionals, I introduce myself as "the woman whose name is a SQL injection attack", and it seems to help them remember me.

Re:xkydgtufhlofhil

[nmb3000]

Well color me red, here I thought this kind of testing should have been done prior to release. Guess the new model of software development is to have the users discover the bugs (can I get a smiley on this) instead of paying a QA team to test.

No, color you stupid. Office 2010 hasn't been released yet.

Nice try though.

Re:xkydgtufhlofhil

[DMUTPeregrine]

Python: Oh, I fixed that last night, it's all ready in the repo.

Re:xkydgtufhlofhil

Apple: "It's not a bug, because Steeve Jobs said so

Re:xkydgtufhlofhil

[jonadab]

It isn't just names, either. Apostrophes and other special characters show up all kinds of places in data where naive programmers tend to imagine they won't appear. Did you know a less-than symbol can show up in a book title? Oh, yes, and if you aren't doing entity-encoding when you build HTML from the data you will get a surprise. With experience, you eventually learn to write the code so that it will either accept those characters as part of the data and handle them as such, or in cases where that's not desirable (like, say, non-numeric characters in a year field) catch them preemptively and issue a clear error message to the user. SQL injection is a particularly easy thing to fix, because you can just use prepared statements with bound variables, but nearly every program of any size or complexity is going to run into situations where it has to do more complex data checking. User-entered data is going to have stuff in it that you didn't anticipate. Every programmer has to learn this lesson, and most have to learn it repeatedly until they eventually become near-paranoid and borderline obsessive about it.

I was gratified when users came to me complaining that they got an error message about time travel not being permitted. Ha! I *knew* it was a good idea to write a test for the end of an appointment being before the beginning of the same appointment. I don't even want to *think* about the bugs that would have ensued if that data had got into the database. The routine that checks whether a room is free at a certain time wouldn't have handled it correctly, that's for certain.

You're not just paranoid. The data really are out to get you. You have to be ready for them, ready for *anything* they may throw at your code. If you're not careful, they'll get you.

Re:xkydgtufhlofhil

[jackal40]

Hmmm, might want to get your sarcasm detector fixed (can I get a smiley on this - refers to the beta test feedback system). Guess you're unfamiliar with it.

Dont wait for Office 3000

1800 in Office 2010? then 210 issues to go...

Hey, Microsoft!

[geminidomino]

"We also want to fix things that are not security concerns."

It's 5AM EST. April Fools' day is over everywhere but a few pacific islands. Give it up already.

Re:Hey, Microsoft!

[somersault]

While a large number, it's important to note that that doesn't mean we found 1,800 security issues

Don't worry, we all know that you haven't fixed any security issues.

Re:Hey, Microsoft!

[PolygamousRanchKid+]

Note that he said "want" and not "will".

Re:Hey, Microsoft!

[Arancaytar]

It would actually be believable except for the "also". :P

Re:Hey, Microsoft!

[game+kid]

...which brings us back to where we started; they've clearly fixed n security issues, where 0 <= n <= 1800. :)

Re:Hey, Microsoft!

As somebody who will not be forking out for Office 2010, it would be nice if they fixed some of the flaws in their previous Office products. The ability to insert multiple images into Office 2003 without Clippy putting the pics where he would like them rather than where I would like them would be a start.

Re:Hey, Microsoft!

[MacWiz]

There were only 1800 bugs. Not like it was anything serious.

Elsewhere in this "issue" of slashdot, we have the story of Microsoft's OOXML failing the standards test because they've only bothered to address about 5% of the issues there.

You just had another "emergency" security update for IE a few days ago.

Microsoft wants the world to run on its software and most of the business world does, not to mention the government. But they are willing to sell it to you BEFORE they bother to take a look and see how well it was coded. They were bad in the late-1980s, started actively bastardizing things to create their own version (Java is a prime example) in the 1990s and have now graduated to deplorable.

As long as they retain their market share, there is no real incentive to improve. Everyone keeps buying MS software anyway.

New bugs

[El_Muerte_TDS]

I wonder how many "new" bugs they'll create by fixing the found bugs.

Anyway, nice to see that they're performing fuzzing tests, not enough people/companies do that. There's also quite little tool support for it.

Re:New bugs

[GF678]

I wonder how many "new" bugs they'll create by fixing the found bugs

Yeah, just like the numerous regressions I see in the Linux kernel, WINE, Ubuntu releases etc.

Re:New bugs

[beakerMeep]

fuzzing tools probably wont ever gain wide spread acceptance outside of the furry community though.

Re:New bugs

I wonder how many "new" bugs they'll create by fixing the found bugs.

Just how is this an insightful comment?

I wonder how many "new" bugs any software developer create by fixing the found bugs.

Re:New bugs

fuzzing tools probably wont ever gain wide spread acceptance outside of the furry community though.

Of course not. You need a yiffing tool for that.

Re:New bugs

[LinuxIsGarbage]

I wonder how many "new" bugs they'll create by fixing the found bugs

Yeah, just like the numerous regressions I see in the Linux kernel, WINE, Ubuntu releases etc.

Why is this modded offtopic? It's cool and popular to poke fun at Microsoft but heaven forbid you point out Linux, WINE, and Ubuntu have regressions?

Re:New bugs

[anexkahn]

My teachers in school used to say for every bug you fix, you have a 50% chance of creating two more :)

Re:New bugs

[John+Hasler]

> Why is this modded offtopic?

Because it is.

> It's cool and popular to poke fun at Microsoft but heaven forbid you point
> out Linux, WINE, and Ubuntu have regressions?

Why is the fact that other software also has regressions relevant? Do you think that is news to anyone here?

Re:New bugs

Tribbles have been using fuzzing tools for centuries now.

Hmmm

[jocabergs]

Not sure if I buy the part about them trying to fix the non-security issue bugs... I think the proposed fix for bugs in 2007 is $300 for 2010, but its by no means a comprehensive fix.
(I'm coming from a bitter place, I've been stuck going through idiotic publisher files for the last 3 days and I'm certain it was designed by monkeys(or for them))

If only this was easier...

[Manip]

This is a great methodology of testing but to be honest I'm not sure it is within the scope of most software firms. While I'm sure we could all drop entirely random data into a parser and see if it fails, to REALLY conduct a test you have to do the same thing broken down by data element in the file format and then for each of those test both realistic and unrealistic test cases.

Then you throw on top of that UI and Web-Page fuzzing and you now have to somehow hook every element on a site and throw in random data which is not realistic with a large rich application.

Re:If only this was easier...

[somersault]

The whole point of the data is that it's unrealistic. There are a few tools out there for doing this type of testing, or easily modified to do it. I haven't used many testing tools but you could take something like Skipfish and add in some fuzz testing pretty easily.

Re:If only this was easier...

[owlstead]

As with all testing tools, the more of them you use, the better. There are many reasons why you don't want to employ all tests, e.g. lack of knowledge, lack of manpower, lack of money or lack of time. The good thing is that if you can get them automated, then they quickly become affordable.

For an example: I was thinking if it was wise to put findbugs (which works on compiled byte code) next to checkstyle (which works on source code level) in my Java project. Obviously I put them both in; they duplicate bugs but who cares ? I'll just look at checkstyle first and findbugs second. If I can put in a pre-build fuzzing component I probably will.

But fuzzing tools are different than unit tests. Fuzzing can never cover every nook and cranny. They will produce reports that are much less readable, and that cannot be directly tied to particular events (e.g. during regression testing). If anything, they'll put some pressure on developers to put in more unit tests; if the fuzzing tool finds many bugs in a component, it should be a good indicator that even the basic unit tests have not been created.

Re:If only this was easier...

[SharpFang]

A fuzzer isn't really hard to write.

Pick a word-based variant of Dissociated Press that requires similarity a random number of words back/ahead and allows split on special characters (separators) besides whitespaces. Feed it a lot of your actual files. Actually, the amount of data it can produce may be vastly bigger than the amount of data it takes in, because it can jump back and forth in the input files recombining their fragments multiple times.

Of course then you need a test unit that feeds the fuzz to your program.

Re:If only this was easier...

This is a great methodology of testing but to be honest I'm not sure it is within the scope of most software firms.

Microsoft runs huge (and I mean huge) server farms for all kinds of internal testing - unit tests for rolling builds, automated functional tests for the same, performance regression tests, compatibility tests (what if we run it on Vista without SP1 and with Office 2003 with latest updates installed?..) - you name it, it's there.

But, even with all the servers, it still takes hours for a complete test run.

Re:If only this was easier...

Using testing tools is good, but when you uncover that many bug, it means something is wrong in your developing method. Parsing a well formed language is not that hard, implementing a sane syntax tree and graceful failures isn't either.

Microsoft is notorious for taking 5 or 6 versions of a product to get it "right enough", I strongly suspect that they would greatly improve their quality by having a solid theoretical ground first, then code instead of trying to get the 1.0 out as quickly as possible. Of course, I am not saying this is wrong business-wise, just that this is wrong from a software quality point of view.

Re:If only this was easier...

This is a great methodology of testing but to be honest I'm not sure it is within the scope of most software firms.

Any firm whose software takes input should use it. The input can be from input files, stdin, the network, or command-line arguments. If you have a CLI utility, and you try entering a 2457 byte string into a command line argument for a file path (given that POSIX's PATH_MAX is 1024 and NAME_MAX is 255), how will your program deal with it? Will there be a buffer overflow or will it fail safely?

While I'm sure we could all drop entirely random data into a parser and see if it fails, to REALLY conduct a test you have to do the same thing broken down by data element in the file format and then for each of those test both realistic and unrealistic test cases.

Ideally you would have a spec of the file format, and you could automated generating generating and consuming the files via library calls.

Re:If only this was easier...

[digitig]

The solid theoretical ground would be fine if they were starting from scratch now (and looking at some of the research coming out of MS, they do seem to be trying for it -- we'll have to wait and see whether it delivers). One big problem for them, though, is maintaining compatibility with ealier versions of Office which were not written using what is now current best practice. Once you start trying to implement code with behaviour that's not properly understood, or pulling in code that's not properly understood, then that best practice is some help, but it doesn't give you the robustness you might want. The alternative would be to abandon back-compatibility, but that would throw away all their (perceived) lock-in and make it too easy for customers to jump ship, so that would probably be a bad business decision.

Re:If only this was easier...

[BitZtream]

Its only a great model for testing if you've exhausted the extensive list of known bugs that people hit every day under common circumstances.

Finding bugs in the file format is great and all, but fixing the bugs that users actually see every day is far more important and you can reset assured it will be released with a bucket load of very obvious bugs that should have been fixed rather than dicking around throwing random data at it.

I know there are potential security issues to deal with and those are important, but they still aren't as important as the users experience with the software and actually getting their own job done. Saying 'don't open word docs from someone else until this is fixed!' is a lot more practical than hearing that person say 'I'm not using Word, this retarded table layout bug is pissing me off, can we find something else to use instead of Word?'

I'm not saying they shouldn't, I'm just saying their priorities are wrong on a scale that is hardly imaginable.

As far as being realistic with a large rich application ...

Citation Needed.

Given enough processors sitting around the size of the application or its feature set becomes of little concern. It may take longer but thats no excuse to not do it.

Re:If only this was easier...

[plover]

I wouldn't knock what they're doing. As we've recently seen with Adobe, exploits in the payload format can be used to manipulate users and even launch code. And remember how we used to be all panicky about Word macro exploitations until the defaults were changed to shut them off? "Good times", indeed.

Consider that Microsoft dominates the market, and that the ".DOC" format is widely accepted across companies. Nowadays .DOC files are readily passed by email filters, web filters, etc. Office workers open them in previewers and Word without giving a second thought to security.

A buffer overrun or other fault in the handling of .DOC files could offer a hacker a way to deliver a malicious payload through channels that are today trusted worldwide. For all we know, these could already be exploited by phishing attacks.

It's definitely worth Microsoft's time and effort to execute these tests.

Re:If only this was easier...

We do this for network inputs on our software, which sits facing public, possibly untrusted networks. We figured we should view fuzzing as a long-term process. We first put together an application that generated millions of totally random packets, and then we crammed those into the software for days, checking for crashes, leaks, performance degradation, etc. Then we added the ability to define "overlay files", which are basically offset=value combinations. Combining that with random packet generation, we can generate millions of packets that are first randomized, but then "fixed up" to look legitimate enough to pass stage N processing.

From there, you simply add overlay files as you dream them up, particularly concentrating on how to craft packets that can pass through the various stages of processing. In other words, if we generate 30m random packets, maybe 99% of those are discarded immediately as obviously malformed. But by creating an overlay definition file that fixes up a few specific bytes for each generated packet, we can allow those packets to be accepted by the initial parser, and then let the second stage processing get a crack at them. If we find a problem with a particular combination, we save it and use it for permanent testing in the future.

We've caught *many* bugs this way. And over time the overlay files accumulate, and you have a large set of data that you can feed into the system to test all of the stages of processing.

"Botnet?"

[oldhack]

What's the connection with "botnet"?

Re:"Botnet?"

[nacturation]

FTFA:

Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company's labs, but also under-utilitized or idle PCs throughout the company. The concept isn't new: The Search for Extraterrestrial Intelligence (SETI@home) project may have been the first to popularize the practice, and remains the largest, but it's also been used to crunch numbers in medical research and to find the world's largest prime number.

"We call it a botnet for fuzzing," said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.

Odd that they would call it that publicly, given the negative connotation of the word. I would have called it "fuzzy clouds grid computing" or something like that.

Re:"Botnet?"

[Mathinker]

Let me explain: Microsoft discovered that all of their desktop computers were zombied with malware, and after wresting control from the botnet C&C, decided to take advantage of this increased ability to remotely administer their computers to run QA tests, on the off chance there might be some need for it.

</joke>

Re:"Botnet?"

[tagno25]

I would have called it a "Fuzzed Cluster"

Re:"Botnet?"

[benjamindees]

They had to infect the computers with Office 2010.

Re:"Botnet?"

[El_Muerte_TDS]

"Cluster Fuzzed" would be much better, specially when somebody finds a remote exploit in their cluster code, then Microsoft will be cluster fucked.

Re:"Botnet?"

[laederkeps]

So the project is a "Cluster fuzz" ?

Re:"Botnet?"

[flyingfsck]

A 'Cluster Fsck' would be even better.

Re:"Botnet?"

[shutdown+-p+now]

Odd that they would call it that publicly, given the negative connotation of the word. I would have called it "fuzzy clouds grid computing" or something like that.

Developers tend to name things that are used internally in a way that is short and more to the point, which is not necessarily something perfect for marketing/PR.

Sometimes these things slip through.

Re:"Botnet?"

[anarche]

or Cluster Ftck?,

its only one bit they're flipping...

Re:"Botnet?"

[Nadaka]

If you are flipping only one bit in a "Cluster Fsck", you are missing the point and could be having a lot more fun.

Re:"Botnet?"

[tool462]

Well, at least now the marketing drones can advertise MS products as "Botnet Optimized"

In soviet Russia...

...Office' bugs made you fuzzy.

Speaks to the complexity

I don't mean to sound for or against any particular vendor's products, but I think finding that number of bugs speaks to the complexity of the software. A full Office suite has so many functions that I bet the average user isn't even aware of 10% of them. And the most avid of users still discover new features fairly regularly.

Re:Speaks to the complexity

[zippthorne]

Your point being? In 10 years since I started using it, I still don't know all the Vi commands and Emacs is so daunting I never even attempted it.

Re:Speaks to the complexity

[AHuxley]

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1506909,00.html
Nothing really new, you just want your OS to be 'Unix' like when one app or new networked lifestyle cloud is compromised.
You really hope your fav 'application' does not open up your OS and start pumping your personal data out.
Apple seems itoy distracted, Windows seems Win7 PR happy.

Re:Speaks to the complexity

[140Mandak262Jamuna]

So why don't you do something instead of constantly griping? Find some open source project that comes close to what you want and contribute to it. Even if you are not a developer, work on documentation, testing, bug reporting or something.

1800 down, 10,000,000 to go

[flyingfsck]

The problem is that they write such crappy code to begin with. There really is no good reason for that. I use Word 2007 at work and it is very buggy. If I had my way, I would not use it, even OOo is better.

Re:1800 down, 10,000,000 to go

[swilver]

The same as I thought. Tip, meet iceberg.

Re:1800 down, 10,000,000 to go

[GeckoAddict]

The large Microsoft products seem to go through the same pattern. First version with a very large change kind of sucks but it works well enough to release and get bug reports on, and the second version is a polished, faster, more robust version of the same. See: Windows ME->XP, Vista->Win7, and now Office2007->Office 2010.

Re:1800 down, 10,000,000 to go

Exactly. And how many new bugs were introduced with these fixes? Considering how poor the pre-patch code was, I don't believe the new patches will be written any more carefully.

Seriously, 1800 bugs just on the data parsing section? That's some shit coding right there. I mean it's just data parsing you morons.

Re:1800 down, 10,000,000 to go

[RebelWebmaster]

Windows ME was a descendant of Win95/Win98. Windows XP was a descendant of NT4/Win2K.

Re:1800 down, 10,000,000 to go

[jbengt]

Your ME example is wrong; ME actually bucks the trend by being a worse version of a previous product.
ME was based on '95/'98 and XP was not based on ME.

Re:1800 down, 10,000,000 to go

[Blakey+Rat]

I use Word 2007 at work and it is very buggy.

Undoubtedly true.

If I had my way, I would not use it, even OOo is better.

"Better" in what sense? It's certainly not less buggy... hell, some components of OpenOffice.org (ok, I'll name it: Impress) seem to have never been actually tested.

Re:1800 down, 10,000,000 to go

[TheLink]

> I use Word 2007 at work and it is very buggy. If I had my way, I would not use it, even OOo is better.

I agree Word 2007 is buggy. But OOo is NOT better. It's far buggier.

FWIW, it's not so much the bugs in Word 2007 that annoy me than the way it does formatting and selection of certain stuff. Yes I know you can customize the behaviour but I still find I have to "battle" with it a bit too often.

OpenOffice on the other hand has rather blatant bugs like these:

Launch openoffice writer.
Type three lines of: "This is a test testing 1 2 3"

Select one of the lines.

Press ctrl-f.

Enter test in the "search for" field
Enter foo in the "replace with" field
Click on More Options.
Click on current selection only.
Click on replace.

Bug: openoffice replaces the ENTIRE selection with "foo", instead of the first found term.

It is not possible to search and replace terms within a selection. You either have the entire selection replaced (if you click replace), or openoffice forgets your initial selection (if you click find).

This bug has been around for ages: http://qa.openoffice.org/issues/show_bug.cgi?id=15501

I can't be bothered to see if it's still present in 3.2.

Just go the the openoffice bug site and look at the open bugs there and you'll see how behind they are. But hey it's free...

Another April Fool?

[epo001]

I mean Microsoft proactively looking for bugs? It's a bit far-fetched.

Come on it's April 2nd here, stop it!

Re:Another April Fool?

[owlstead]

Any other time you might have been modded funny for a lame joke like that, but - as you - mention, it is 2nd of April, we're still trying to recover from yesterday. No lame jokes today, please.

..they were all sitting in front of the screen....

[uweg]

SCNR....

Software firm test his software?

[Tei]

*pat in the back* good one Microsoft, now you test your software. What about now to change and respect standards, PLEASE.

Re:Software firm test his software?

[kronosopher]

I'd like to ask them to stop killing people first, much less respecting standards.

Re:Software firm test his software?

[maxume]

Aren't you a piece of work.

Or user a sales.

[leuk_he]

It is an alternative to the monkey test: Take a sales person from across the ahlloway and let him click on your application. If it does not crash or give absurd error messages you can do the actual testing.

GIGO!

Re:Or user a sales.

[mOdQuArK!]

It is an alternative to the monkey test: Take a sales person from across the ahlloway and let him click on your application.

Last time I tried that, it took me forever to get the feces out of the keyboard.

Ah, reminds me of the old days

[smchris]

Of Imprise Delphi 4 and Corel WordPerfect 9.

Just kidding. Seems like a good initiative on Microsoft's part.

One would think that this is the case...

[WD]

What you describe is "smart" or "generational" fuzzing, where you have a detailed knowledge of the target that you are fuzzing. The thing is, dumb (mutational) fuzzing is still effective. Very effective. Check out Charlie Miller's CanSecWest presentation - An analysis of fuzzing 4 products with 5 lines of Python
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt

In 3 weeks of (really) dumb fuzzing, 174 unique crashes in PowerPoint were discovered.

Re:One would think that this is the case...

[amorsen]

In 3 weeks of (really) dumb fuzzing, 174 unique crashes in PowerPoint were discovered.

The fuzzing was dumb, but the picking of files as basis for the fuzzing was smart. Unfortunately Charlie Miller doesn't present a tool for doing that.

Unit tests don't find everything either

[tepples]

But fuzzing tools are different than unit tests. Fuzzing can never cover every nook and cranny.

Neither will unit tests.

This is pretty standard in Haskell

[Z8]

QuickCheck

But for some reason random data testing is less popular for the other languages I'm familiar with.

Did they fix...

[RemoWilliams84]

Did they fix that bug where the useful menus get replaced by that horrible ribbon thing?

I know there are downloads to revert to the menus, but can't do that at work.

Re:Did they fix...

[BitZtream]

Yes, they called it the ALT key, and it was fixed in 2007 too.

wow imagine that

[hesaigo999ca]

Coming from a programmer's point of view, this is like saying a nurse used an alcohol swab before plunging a needle into your arm, to avoid you contracting anything....i think in today's world this is all pretty standard even for the smaller budget companies, most are unit test driven and have intensive test environments to stress test their apps. I have seen this even in a company as small as 3 programmers. Do they want a medal, seriously....i am thinking of saying something....maybe someone would care to finish my thought
I have blasted them enough already....?

Re:wow imagine that

[natehoy]

Programming 101: TEST YOUR GODDAMNED INPUTS!

Programming 102: If you missed the lesson in Programming 101 where you have to test your inputs, you fail and have to repeat Programming 101. Some people never get out of Programming 102. I've worked with a few of them. "It ain't that pretty at all".

This is clumsy after-the-fact testing at best, just throwing random garbage at the program and hoping to hit a condition. Having said that, I do want to applaud Microsoft for at least, finally, taking some steps toward input control. After so many Patch Tuesdays where "stack overflow", "buffer underrun", and other things caused by nothing more and nothing less than careless programming, it's good to see that they are at least going back with a little more rigor and testing for relatively obvious stuff before their code blows up in a customer's face.

Oblig. XKCD: http://xkcd.com/327/

Re:wow imagine that

[BitZtream]

this is like saying a nurse used an alcohol swab before plunging a needle into your arm, to avoid you contracting anything....

You clearly don't understand what fuzzy testing is.

Fuzzy testing and unit testing are only related in that they are tests.

Unit tests are well defined tests for known conditions.

Fuzzy tests, if done perfectly, would appear to be random and thrown entirely random data at the applicaiton in order to increase the chances of finding out what happens when the app gets something the developers never expected.

I don't know of anyone who does regular fuzzy testing. Everyone that matters does unit testing.

Going back to your nurse/needle analogy, a corrected version would be something like the nurse putting a needle of random length into a vial of a random medicine he/she pulled off the shelf into a random location on your body and injecting a random amount of the drug ... just to see what happens and figure out if its safe to do that in the future.

I won't finish your thought as its pretty clear you don't have them all that often, but before you start blasting someone it might actually help if you had at least some idea about what you were discussing, you clearly do not.

No one fuzzy tests. Okay, so no one is obviously false, but the number of people who do fuzzy testing is unimaginably low. Go find me an OSS package that does fuzzy testing as part of their automated build process. IF you find one, $5 says its a tool for doing testing and not some other type of app.

Re:wow imagine that

[Jer]

Computer Science 395 (Software Engineering): Remember how back in Programming 101 we told you how to perform testing on your code? Turns out we grossly oversimplified our discussion of how to go about doing that for pedagogical reasons. While it's nearly trivial to perform the test/debug cycle on code that you wrote for a class project that does one well-defined thing and will only ever be seen by you and your grader/professor, the scope of testing and debugging transforms radically when you attempt to scale this up to more general applications. Now, let's talk a bit about how real-world testing is done when you're debugging a giant project, with a substantial user base, spread over dozens of programmers, with code that contains elements that originated over a decade ago, some from programmers who left the company long before you finished Programming 101...

Re:wow imagine that

Mozilla regularly fuzzes its JavaScript engine: https://bugzilla.mozilla.org/show_bug.cgi?id=jsfunfuzz

Re:wow imagine that

[natehoy]

Yes, I've taken that class.

I'm not talking about testing, I'm talking about design. If you expect a URL in a field and someone puts executable code in there, you should not be executing the code - you should be rejecting the URL. Data of that nature should not be put in a memory area where an instruction can be sent to run it.

Stack overflows, buffer underruns, and things of that nature are not things that should be caught in testing. They are things that should be prevented in the first place. If your code can't write data from strangers in places it can execute it, you can't be caught with your pants around your ankles when someone sends you executable code in a text field.

I'm not saying this testing is a bad thing, it's great, and necessary, and wonderful, and all that! But I sincerely hope Microsoft learned the lesson and Office 2012 or whatever the next version is will at least get some protected mode lovin' so they can separate data space from execution space and stop crossing the streams.

Maybe then Patch Tuesday will stop being so darned exciting.

Re:wow imagine that

[hesaigo999ca]

Yet so many people take this class and then some, to learn UML, Unit testing,
variants of stress testing, even how to stand their ground against unwanted elements in the environment, but one thing will never change, if the boss says to do it his way, you can either finally do it his way, or hit the highway, and usually this is were the problem lies.

I have come across a few times in my life that the necessary steps were avoided on purpose and left many with critical bugs in their apps, only because of some higher up decision being taken to cut costs and save resources, to only have to spend more in the end.

I have heard many times M$ stood for develop and ship now, debug and patch later...however never having worked there I could never confirm such blatant disregard for proper protocol.

Re:wow imagine that

[hesaigo999ca]

Funny i read the word "buffer overflow" and to my knowledge this is
considered part of the unit testing and not the fuzzy.
As for many not doing fuzzy testing, well i never considered the 2 seperate
issues in my unit testing, so you will have to pardon my lack of
empathy for the situation

Re:wow imagine that

[Blakey+Rat]

I don't know of anyone who does regular fuzzy testing. Everyone that matters does unit testing.

Just FYI, Microsoft does fuzz testing in all areas of business, not just Office. The "news" here is really that the Office fuzz testing is done with a cluster of the developers' own computers. (Although it's definitely a good story to get out to all the shitty software houses out there that don't already do fuzz testing.)

When I worked in Xbox game testing back when the Xbox 360 was shiny and new, we had a large pile of Xbox 360s that did nothing but fuzz-testing of new titles by feeding them random controller input.

that doesn't mean we found 1,800 security issues

[Geminii]

it's important to note that that doesn't mean we found 1,800 security issues.

"...we have absolutely no idea where THOSE are."

No surprise, with that "format"!

[Hurricane78]

Have you even seen the “specification” that MS tried to make a standard. It’s a horribly convoluted mess, that can only be described as an upside-down pyramid of always patching new stuff onto the old framework, while never doing a needed complete re-design. Like Windows ME.

Hey Microsoft! If there are more bugs than features in your file format, maybe you should do a re-design, hm? ;)

Re:No surprise, with that "format"!

[BitZtream]

i'm sorry, I must have missed something ...

Where is your example of some successful software product without backwards compatibility?

Contrary to popular belief, a 'complete rewrite' is almost universally a retarded idea, and any developer with more than a couple years experience knows this.

When you're programming to get something done, its a little different than sitting in mommies basement rewriting your python script because you don't actually have anything else to do.

Dumbest possible way to not find errors

[Ancient_Hacker]

Remember the very obvious maxim of Dykstra: testing can only tell you there ARE errors, it can't tell you there AREN'T errors.

Randomly poking at data only find you the very dumbest errors. It takes some real thinking and mulling to realize, hey, if a xml field crosses this buffer boundary, and the last 4-byte Unicode code was cached, it's going to get bashed by the next 3-byte escape code. Or 255 bytes of code-page Yen symbol (255) followed by a 254 will lead to sign-extension and access to an address in the kernel trampoline DLL. Those kind of combinatorial errors are not going to be discovered by random poking at the data.

So they're going to (and have) given everybody a false sense of security, when the basic method can do nothing of the sort. it can only fin errors of the most trivial sort. It can't find errors that thousands of unemployed Russian hackers can dream up of testing for, and it can only FIND errors, not tell you there aren't an unlimited number of remaining errors.

Re:Dumbest possible way to not find errors

[owlstead]

Yeah, well, they find bugs and fix them, regardless of all the other testing they perform. If they are not deprecating other tests that (may not be fully covered) then yes, I can see a problem here. And don't forget, even the dumbest bug can become a vulnerability.

Re:Dumbest possible way to not find errors

Fuzzing is not a dumb method of finding bugs at all, it is an EXCELLENT method. Fuzzing when combined with unit testing, code reviews and full test sweeps as Ms are doing here is actually pretty damn awesome. Fuzzing helps devs and testers find bugs and security holes that their standard testing just didn't think of, it also helps improve the quality of defined tests as each time a fuzz breaks the product you can look at how and why and then implement test cases around those. anyone that says fuzzing is dumb obviously has very low level of security/dev knowledge, every extra tool that finds more bugs is a good thing, just becaue your little mind can't grasp that doesn't make it dumb.

Re:Dumbest possible way to not find errors

[Ancient_Hacker]

You just don't get it. Think. Fuzzing can find errors, if they're simple. But people are exponentially better at finding (and exploiting) complex combinatorial errors of the type I described. Fuzzing is never going to find, even in 2^32 passes, those kinds of errors.

    It's a losing game, for losers.

Re:Dumbest possible way to not find errors

[LO0G]

The thing is that fuzz tesing finds a staggering number of bugs in LOTS of components. Way more than the bugs found by people investigating "complex combinatorial errors".

Why spend months investigating in writing the tests to find all of those permutations when Charlie Miller can write a 6 line python script and turn it loose for a couple of weeks and find dozens of exploitable security holes in products from every vendor out there?

It's not a botnet.

[NotBornYesterday]

It's distributed computing.

Wait, I suppose it could be a botnet, if MS's IT department distributed the required software by exploiting security holes in the victim OS instead of just using admin rights to install the new app. Come to think of it, that might be easier ... [me scurries off to develop new easy-to-use set of malware-based admin tools].

There must be some funny counting here

[iceco2]

Even though some of us would easily believe MS office has 1800 security issues that need fixing.(and in my opinion every crash due to malformed input is a security issue)
I find it hard to believe they found 1800 of these by generating random data, what is far more likely is that they recorded 1800(or more) crash events
and after fixing two or three programming errors(problematic hidden assumptions about the input) 1800 of them were not reproduced.
This hardly counts as solving 1800 bugs.
The technique itself is very problematic since you need to generate random data that passes the tests your software has in place but still causes an unexpected error
due to something you forgot to check. just feeding random files and trying to parse them won't get you very far as practically all of them will be rejected, so have to make your garbage generator slightly more sophisticated, but without feeding in the same misconceptions that caused you to write buggy code in the first place.

  Me

Fuzzing is not needed if you have the source code.

You can write unit tests and then look at the code coverage of the tests until you have added tests that walk every code path. You can make sure that each code path is hit with garbage data. You can do this in just a few weeks of time. Certainly the fuzzing tests are good too, but unless the fuzzing findings are being added to the unit tests as they are found, then it is just wasted effort.

Fewer than 1800.

Any company that develops software has to start with the premise that developers fixing bugs create fewer bugs than they fix, otherwise they should get out of that business and start selling donuts instead.