Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Fuzzing Botnet Finds 1,800 Office Bugs

Posted by timothy on from the running-through-the-possibilities dept.

CWmike writes "Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said on Wednesday. Office developers found the bugs by running millions of 'fuzzing' tests, a practice employed by both software developers and security researchers, that searches for flaws by inserting data into file format parsers to see where programs fail by crashing. 'We found and fixed about 1,800 bugs in Office 2010's code,' said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group, who last week co-hosted a presentation on Microsoft's fuzzing efforts at the CanSecWest security conference. 'While a large number, it's important to note that that doesn't mean we found 1,800 security issues. We also want to fix things that are not security concerns.'"

13 of 111 comments (clear)

  1. xkydgtufhlofhil by Anonymous Coward · · Score: 5, Funny

    ghulkgiplgbvihlnk luioguilgil.bjohj110-o; Huto;bn

    1. Re:xkydgtufhlofhil by Anonymous Coward · · Score: 2, Funny

      Windows: "It's not a bug, it's a feature."

      GNOME: "It's not a bug, it's a design decision."

    2. Re:xkydgtufhlofhil by mobby_6kl · · Score: 2, Funny

      >In this case you could say that he's not only giving an example, but is testing the slashdot user comments code as well.

      It's testing not just the user comments code, but also the moderation system code and the moderators themselves. In this case, it appears that he found a bug which causes the comment to be moderated Insightful by providing a certain combination of random characters as input. I will now attempt to replicate this problem.

      ______TEST DATA FOLLOWS______
      TvaHokVAwgZGLrzPnDsIzHnKwuOOQEgaFskFJx-9JH@eIbwWSYhujyXDekeBP-9YQlfiZtdOZXlupfvy
      UYXenTsWzzF#SScvbvWXtMMcbMg@xIsRC!OiViEDnt-9fQRGXEgvbfdlBATolRyiVYmcKyHi-9bLVcYx
      JrPmw

  2. Hey, Microsoft! by geminidomino · · Score: 5, Funny

    "We also want to fix things that are not security concerns."

    It's 5AM EST. April Fools' day is over everywhere but a few pacific islands. Give it up already.

    1. Re:Hey, Microsoft! by somersault · · Score: 2, Funny

      While a large number, it's important to note that that doesn't mean we found 1,800 security issues

      Don't worry, we all know that you haven't fixed any security issues.

      --
      which is totally what she said
    2. Re:Hey, Microsoft! by Arancaytar · · Score: 1, Funny

      It would actually be believable except for the "also". :P

  3. Re:"Botnet?" by nacturation · · Score: 4, Funny

    FTFA:

    Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company's labs, but also under-utilitized or idle PCs throughout the company. The concept isn't new: The Search for Extraterrestrial Intelligence (SETI@home) project may have been the first to popularize the practice, and remains the largest, but it's also been used to crunch numbers in medical research and to find the world's largest prime number.

    "We call it a botnet for fuzzing," said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.

    Odd that they would call it that publicly, given the negative connotation of the word. I would have called it "fuzzy clouds grid computing" or something like that.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  4. Re:"Botnet?" by Mathinker · · Score: 4, Funny

    Let me explain: Microsoft discovered that all of their desktop computers were zombied with malware, and after wresting control from the botnet C&C, decided to take advantage of this increased ability to remotely administer their computers to run QA tests, on the off chance there might be some need for it.

    </joke>

  5. Re:"Botnet?" by benjamindees · · Score: 5, Funny

    They had to infect the computers with Office 2010.

    --
    "I assumed blithely that there were no elves out there in the darkness"
  6. Re:"Botnet?" by El_Muerte_TDS · · Score: 4, Funny

    "Cluster Fuzzed" would be much better, specially when somebody finds a remote exploit in their cluster code, then Microsoft will be cluster fucked.

  7. Re:"Botnet?" by laederkeps · · Score: 2, Funny

    So the project is a "Cluster fuzz" ?

  8. Re:New bugs by beakerMeep · · Score: 4, Funny

    fuzzing tools probably wont ever gain wide spread acceptance outside of the furry community though.

    --
    meep
  9. Re:1800 down, 10,000,000 to go by swilver · · Score: 2, Funny

    The same as I thought. Tip, meet iceberg.