Tom Gallagher, senior security test lead with Microsoft’s Trustworthy Computing group, was extensively quoted in news stories today as he described how his group found 1,800 software flaws in Office 2010 by running millions of “fuzzing” tests.
According to ComputerWorld, “Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company’s labs, but also under-utilitized or idle PCs throughout the company. The concept isn’t new: The Search for Extraterrestrial Intelligence (SETI@home) project may have been the first to popularize the practice, and remains the largest, but it’s also been used to crunch numbers in medical research and to find the world’s largest prime number.
“’We call it a botnet for fuzzing,’ said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.”
“Fuzzing” was in the computer security news headlines last week after Baltimore, Md., researcher Charlie Miller won the CanSecWest security conference Pwn2Own hacking contest for the third time. Miller said he’d used fuzzing to find 20 security vulnerabilities in Adobe Reader, the Apple Safari browser, Mac OS X and PowerPoint. He declined to tell the companies about the flaws but demonstrated his fuzzing technique told them to use it themselves.
If fuzzing, which obviously can find 1,800 software bugs at a crack, becomes extensively used Charlie Miller might be in line to become the first cyber saint! A computer security landscape without vulnerabilities would be a different country indeed.
Note to the darkside: don’t worry, there’s still social engineering.
ComputerWorld story: “Microsoft runs fuzzing botnet, finds 1,800 Office bugs”
Sunbelt Blog: “Firefox, IE8 and Safari hacked at CanSecWest“