Is Microsoft too good to use fuzzers?
Just got through reading this article at Security Focus. So basically, fuzzers are becoming more and more prominent in finding flaws in applications (they have been around a while, but they are now gaining notoriety with the general populace). More and more flaws are coming out on all sorts of applications, but the main focus is on Microsoft products, with the lion’s share being found on Office products.
This makes sense because Office is used so widely. People trying to make a buck are going to search for flaws on a widely used product, unless they have a specific target in mind and know what other apps they use. You could also say this makes sense because Microsoft makes such crappy products, and you would be partially correct. Fuzzers have been used to find flaws in non-MSFT apps as well (Flash, Shockwave, RealPlayer, etc.), so the threat is not just with Microsoft products.
But the point here is this: if the baddies are concentrating their fuzzing efforts on Microsoft products, where is the news that Microsoft has started actively using fuzzers to find flaws in their code? Where is the news that the giant has hired HD Moore to start an active campaign to find flaws in their products so they can start fixing the issues before they are used by baddies?
Look at this quote from the article:
Moreover, the flaws reported to date are only due to a limited amount of effort using fuzzers, TippingPoint’s Dhamankar stressed. Researchers do not typically have access to the detailed information about file formats for Microsoft’s Office, so their efforts to date have been limited.
Does this mean since the good guys can’t find the flaws that the baddies won’t either? No. The flaws will be found eventually. It means that Microsoft has the opportunity to find the flaws before anyone else because they know more about the code than any one else. Microsoft needs to step up and start finding and fixing more flaws using other tools besides their own.
Vet
