Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Fuzzing Botnet Finds 1,800 Office Bugs

Posted by timothy on from the running-through-the-possibilities dept.

CWmike writes "Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said on Wednesday. Office developers found the bugs by running millions of 'fuzzing' tests, a practice employed by both software developers and security researchers, that searches for flaws by inserting data into file format parsers to see where programs fail by crashing. 'We found and fixed about 1,800 bugs in Office 2010's code,' said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group, who last week co-hosted a presentation on Microsoft's fuzzing efforts at the CanSecWest security conference. 'While a large number, it's important to note that that doesn't mean we found 1,800 security issues. We also want to fix things that are not security concerns.'"

19 of 111 comments (clear)

  1. xkydgtufhlofhil by Anonymous Coward · · Score: 5, Funny

    ghulkgiplgbvihlnk luioguilgil.bjohj110-o; Huto;bn

    1. Re:xkydgtufhlofhil by troll8901 · · Score: 3, Interesting

      ghulkgiplgbvihlnk luioguilgil.bjohj110-o; Huto;bn

      I don't understand this Score:4 Insightful comment. Can someone explain?

    2. Re:xkydgtufhlofhil by sucker_muts · · Score: 5, Informative

      don't understand this Score:4 Insightful comment. Can someone explain?

      Even though your name does look quite suspicious, I'll try to explain anyway.

      The parent is showing how fuzzing works:
      Using random 'data' to test the various functions of software, so we can find out if a certain piece of input triggers undesirable behavior.

      In this case you could say that he's not only giving an example, but is testing the slashdot user comments code as well.

      But it's perhaps more an attempt at humor. :-)

      --
      Dependency hell? => /bin/there/done/that
    3. Re:xkydgtufhlofhil by jonadab · · Score: 5, Informative

      Except that, in most cases, random letters in the ranges a-z and A-Z are not where you're going to find most of your problems. The major sources of bugs that can be uncovered by random data are assumptions that programmers (sometimes subconsciously) make about what the data are going to be like.

      The most obvious of these are assumptions like "a newline can't occur in a single-line field" (a mistake web developers often make, because they assume the data are coming from an HTML input element that only allows single-line data; but an attacker can in fact send anything they want in an http request), or "nobody's going to have a single-quote character in their name" (hello, SQL injection attack). This sort of thing is probably not a major factor in Office, because it's common for documents to have those kinds of characters in them. There might be a couple of weird old control characters (like the ASCII NUL, 000), but those bugs were probably found aeons ago.

      A second major category of problematic assumptions assumptions has to do with languages and code pages and character sets. When software that was written to assume a particular character set (like ASCII, or Latin-1) or even just one code page at a time (like, whichever one is the system default) has to be extended to support more (like, especially, Unicode), you run into all kinds of nasties. Again, though, Office probably had to deal with these issues a couple of versions ago. They may have found a few more, but at this point it's probably not the most fertile ground any more.

      When you're dealing with file formats, however, there are also things like "the value at offset 0x003C from the beginning of the object header contains the size of the object, which can never be more than 0xFFFF" and "an object can embed another object by referencing it, but there are never any circular references, because the software doesn't allow the user to put an object inside itself". These sorts of assumptions pop up every time you write or change code that reads a file format, so they never go away really. This sort of thing is probably *most* of what the Office team found, I suspect.

      --
      Cut that out, or I will ship you to Norilsk in a box.
    4. Re:xkydgtufhlofhil by elronxenu · · Score: 3, Insightful

      Linux: "It's not a bug, not any more."

    5. Re:xkydgtufhlofhil by Helen+O'Boyle · · Score: 3, Informative

      "nobody's going to have a single-quote character in their name" (hello, SQL injection attack)

      Hey, I resemble that remark! And yes, it's resulted in chuckles over the years. Microsoft, DevelopMentor, random e-commerce sites... many have fallen to the Irish. When talking to security professionals, I introduce myself as "the woman whose name is a SQL injection attack", and it seems to help them remember me.

  2. Hey, Microsoft! by geminidomino · · Score: 5, Funny

    "We also want to fix things that are not security concerns."

    It's 5AM EST. April Fools' day is over everywhere but a few pacific islands. Give it up already.

    1. Re:Hey, Microsoft! by PolygamousRanchKid+ · · Score: 4, Insightful

      Note that he said "want" and not "will".

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  3. New bugs by El_Muerte_TDS · · Score: 5, Insightful

    I wonder how many "new" bugs they'll create by fixing the found bugs.

    Anyway, nice to see that they're performing fuzzing tests, not enough people/companies do that. There's also quite little tool support for it.

    1. Re:New bugs by beakerMeep · · Score: 4, Funny

      fuzzing tools probably wont ever gain wide spread acceptance outside of the furry community though.

      --
      meep
  4. Re:"Botnet?" by nacturation · · Score: 4, Funny

    FTFA:

    Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company's labs, but also under-utilitized or idle PCs throughout the company. The concept isn't new: The Search for Extraterrestrial Intelligence (SETI@home) project may have been the first to popularize the practice, and remains the largest, but it's also been used to crunch numbers in medical research and to find the world's largest prime number.

    "We call it a botnet for fuzzing," said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.

    Odd that they would call it that publicly, given the negative connotation of the word. I would have called it "fuzzy clouds grid computing" or something like that.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  5. Re:"Botnet?" by Mathinker · · Score: 4, Funny

    Let me explain: Microsoft discovered that all of their desktop computers were zombied with malware, and after wresting control from the botnet C&C, decided to take advantage of this increased ability to remotely administer their computers to run QA tests, on the off chance there might be some need for it.

    </joke>

  6. Re:If only this was easier... by somersault · · Score: 4, Informative

    The whole point of the data is that it's unrealistic. There are a few tools out there for doing this type of testing, or easily modified to do it. I haven't used many testing tools but you could take something like Skipfish and add in some fuzz testing pretty easily.

    --
    which is totally what she said
  7. Re:"Botnet?" by benjamindees · · Score: 5, Funny

    They had to infect the computers with Office 2010.

    --
    "I assumed blithely that there were no elves out there in the darkness"
  8. Re:If only this was easier... by owlstead · · Score: 5, Insightful

    As with all testing tools, the more of them you use, the better. There are many reasons why you don't want to employ all tests, e.g. lack of knowledge, lack of manpower, lack of money or lack of time. The good thing is that if you can get them automated, then they quickly become affordable.

    For an example: I was thinking if it was wise to put findbugs (which works on compiled byte code) next to checkstyle (which works on source code level) in my Java project. Obviously I put them both in; they duplicate bugs but who cares ? I'll just look at checkstyle first and findbugs second. If I can put in a pre-build fuzzing component I probably will.

    But fuzzing tools are different than unit tests. Fuzzing can never cover every nook and cranny. They will produce reports that are much less readable, and that cannot be directly tied to particular events (e.g. during regression testing). If anything, they'll put some pressure on developers to put in more unit tests; if the fuzzing tool finds many bugs in a component, it should be a good indicator that even the basic unit tests have not been created.

  9. Re:"Botnet?" by El_Muerte_TDS · · Score: 4, Funny

    "Cluster Fuzzed" would be much better, specially when somebody finds a remote exploit in their cluster code, then Microsoft will be cluster fucked.

  10. Re:Speaks to the complexity by zippthorne · · Score: 4, Insightful

    Your point being? In 10 years since I started using it, I still don't know all the Vi commands and Emacs is so daunting I never even attempted it.

    --
    Can you be Even More Awesome?!
  11. that doesn't mean we found 1,800 security issues by Geminii · · Score: 3, Insightful

    it's important to note that that doesn't mean we found 1,800 security issues.

    "...we have absolutely no idea where THOSE are."

  12. No surprise, with that "format"! by Hurricane78 · · Score: 3, Insightful

    Have you even seen the “specification” that MS tried to make a standard. It’s a horribly convoluted mess, that can only be described as an upside-down pyramid of always patching new stuff onto the old framework, while never doing a needed complete re-design. Like Windows ME.

    Hey Microsoft! If there are more bugs than features in your file format, maybe you should do a re-design, hm? ;)

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.