Client software installed on systems throughout Microsoft's network automatically kicks in when the PCs are idle, such as on weekends, to run fuzzing tests "We would do millions of [fuzzing] iterations each weekend," Gallagher said -- up to 12 million in some cases.The difference between Microsoft's old way of fuzzing -- which involved a tester setting up a fuzzer on a single machine, then letting it run for as long as a week -- and DFF was dramatic, said Gallagher. "We can do 12 million iterations without a lot of effort," he said. "Set it up, go home, come in on Monday, and we have the results listing all the issues. What used to take days now just takes an hour." While all the Office development teams use DFF, only some groups within the company have tried it. Currently SharePoint, MSN client and Fast search teams are utilizing the fuzzing network, but Windows developers are not. A prominent vulnerability researcher, however, has criticized the fuzzing efforts of Microsoft, Apple and Adobe. Last week, Charlie Miller, three-time winner at the Pwn2Own hacking contest, showed CanSecWest attendees how he used a simple "dumb" fuzzer -- one not built to understand a specific file format -- to root out 20 security vulnerabilities and hundreds of crash bugs using fewer than five computers. Miller found vulnerabilities in PowerPoint, the presentation maker in Office, as well as in Mac OS X, Apple's Safari browser and Adobe's Reader. Miller refused to turn over details of the vulnerabilities to the vendors, Microsoft included, but instead showed the vendors how to replicate his work in his own presentation. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing," Miller said last week in an interview with Computerworld .
Gallagher, who sat in on Miller's presentation, didn't commit Microsoft to doing what Miller wanted. "We're looking at his technique, how to duplicate it and how we might implement it," Gallagher said today.Miller was unavailable today to comment on Microsoft's Office fuzzing work. Microsoft's stepped-up fuzzing was part of a security push for Office 2010 that also added several new features, including a more flexible file blocker -- first introduced in Office 2007 -- and a new sandbox dubbed Protected View that isolates suspicious Word, Excel and PowerPoint files in a limited-rights environment, effectively quarantining them from the rest of the PC. "We're not banking on finding and fixing every bug in Office 2010," Gallagher admitted. Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com . Read more about security in Computerworld's Security Knowledge Center. Original story - http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs