ARN

Microsoft developer: 'Fuzzing' key to Office security

But nothing's perfect, says SDL guru David LeBlanc, who admits past slip-ups

A wave of attacks targeting Microsoft's Office 2003 last year taught the company some tough security lessons it's now aggressively applying, a Microsoft software engineer said Friday.

"When Office 2003 shipped, we thought we'd done some good work and that it would be a secure product," said David LeBlanc, a senior software development engineer with the Office team. "For the first two years after release, it held up really well, only two bulletins. But then people shifted their tactics and started finding problems in fairly large numbers."

LeBlanc, one of the proponents of Microsoft's Security Development Lifecycle (SDL) initiative, and Michael Howard, the co-author of Writing Secure Code for Vista, referred to the spate of attacks in 2006 that exploited numerous vulnerabilities in Office 2003's file formats. The suite's core applications -- Word, Excel and PowerPoint -- were all patched multiple times last year.

"I can't gloss this over. You can look up the security bulletins that apply to Office 2003 yourself."

The attacks, and the flaws they exposed, not only prompted immediate patches -- and the release this week of Office 2003 Service Pack 3 (SP3) -- but pushed Microsoft to step up efforts to track down bugs before shipping code.

"We realized that fuzzing needed to be a much bigger part of what we did," said LeBlanc. "We were already on the road to doing that, but we had to do more of it, and get smarter at it."

"Fuzzing" is a process used by security researchers trolling for vulnerabilities and by developers looking for flaws in their code before it goes public. Armed with fuzzers -- automated tools that drop data into applications, file formats or operating system components to see if, and where, they fail -- programmers stress-test software. LeBlanc calls it "exercising the code."

Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom-built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3.

The work's necessary, said LeBlanc, because of the length of time that Microsoft supports its corporate titles. "Do the math," he said. "Products are in mainstream support for five years, in extended support for another five. We're going to have to support something in the field for up to 10 years."

That led to the realization that if it was to properly protect customers, Microsoft had to do more than just react to attackers' moves. "Part of our job is to try to figure out where the attackers are going, and try to get there ahead of them," LeBlanc said.

It's not an easy job, he admitted. "We shipped Office 2007 in early 2007, so mainstream support expires in early 2012. I can't possibly predict right now what the attackers are going to be doing and the techniques they'll be using in 2012. I wouldn't bet more than a beer that there won't be something in 2012 that I don't look back and go, 'Wow, I didn't see that coming'," LeBlanc said.

Page Break

Among the ways the Office team is trying to get a step on attackers, said LeBlanc, is with stepped up fuzzing. He pointed to a presentation at last month's Black Hat security conference that described using generic algorithms to cover more code during fuzzing, a technique he said Microsoft had been working on for a couple of years.

"Right now, the technique is only able to exercise relatively simple network protocols, like HTML, which is a lot simpler than a Word document," said LeBlanc. "Given five years, will attackers figure out a way to scale that? Our job is to figure out if they will so we can protect our customers for the life of the product."

Even the most diligent efforts, however, won't find every flaw, LeBlanc admitted. "One of the problems with fuzzing is it's really hard to say when you're done. Have you exercised the code sufficiently?"

A good example of something testing didn't spot during Office 2007's development -- not to mention the even earlier work on Office 2003 -- was the bug in Excel's file format disclosed by the July security bulletin MS07-036. The vulnerability, which existed across the Office line, from version 2000 to 2007, was, said the bulletin, "in the way Excel handles malformed Excel files." It was the first bug in a core Office 2007 application's file format.

"Something slipped through the cracks," LeBlanc acknowledged after looking over the MS07-036 advisory. "We like to stop these things, and overall I think we did a pretty good job fuzzing Office 2007. This is the first one. It's kind of an example of why we need to continue to get smarter and apply more horsepower to this particular problem."

Bottom line, he said, is that the developers working on Office know they have to crank it up a notch. "We're going to be continuing to push the envelope to find new ways to make the product as secure as possible," LeBlanc said. "We need to get way, way out in front of those guys."