Microsoft Uncovers 1800 Bugs in Office 2010
A computer security engineer at Microsoft reports that the company discovered at least 1800 bugs in Office 2010 by tapping into the unused computer horsepower of idling PCs.
The bugs were uncovered by running millions of ‘fuzzing tests’, a practice used by both software developers and security researchers to detect flaws. The method involves inserting data into file format parsers to see where programs fail by crashing.
Senior security test lead with Microsoft’s Trustworthy Computing group, Tom Gallagher said they found and fixed about 1800 bugs in Office 2010’s code. “While a large number, it’s important to note that that doesn’t mean we found 1,800 security issues. We also want to fix things that are not security concerns,” he says.
He refuses to reveal the exact number of flaws uncovered through fuzzing that qualifies as vulnerabilities.
Gallagher who co-hosted a presentation on Microsoft’s fuzzing efforts at the CanSecWest security conference in Vancouver, British Columbia says that the non-security bugs discovered in Office 2010 that also exist in previous editions will be fixed in those versions’ upcoming service packs
Microsoft was able to detect such a large number of bugs in Office 2010 by using under-utilised and idle PCs throughout the company. “We call it a botnet for fuzzing,” said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF).
Client software installed on systems throughout Microsoft’s network are set to automatically run fuzzing test when the PC’s are idle, such as on weekends. “We would do millions of [fuzzing] iterations each weekend,” Gallagher said — up to 12 million in some cases.
Client software installed on systems throughout Microsoft’s network automatically kicks in when the PCs are idle, such as on weekends, to run fuzzing tests “We would do millions of [fuzzing] iterations each weekend,” Gallagher said — up to 12 million in some cases.
Sphere: Related ContentRelated posts:
