Storm, Srizbi, and... Microsoft? Microsofts Office application security team actually runs its own internal botnet, which, among other things, fuzzes for vulnerabilities in Office applications.
Microsofts botnet isnt anywhere near the size of Srizbi (over 300,000 bots at last count) nor any of the other mega-botnets -- its just a couple of thousand machines located in Microsofts automation lab. But Tom Gallagher, senior security test lead for Microsoft Office, says the internal botnet is a key tool in rooting out new vulnerabilities in Office by simulating the wildly popular fuzzing technique used by attackers.
We instruct the machines to perform various types of manipulations to a well formed good Office document, Gallagher says. The Office security team typically targets memory-corruption bugs in the software like buffer overruns, integer overruns, and format strings, says Gallagher, who notes that the botnet is also used to test out features in the software.
This hack-it-yourself strategy has become the norm for the Office security team, which aside from its fuzzing botnet also regularly conducts penetration testing on its Office code and apps. Gallagher, 31, and senior software development engineer David LeBlanc, 47, lead a team that hacks at the applications regularly -- and then feeds its findings to the Office application developers.
If we think this is a risky area the product team would need help with, we try to break in like a hacker would. Since the inception of our security team, weve tried to operate as if the attackers were coming for us. It so happens that they [the attackers] werent too successful with that until recently, Gallagher says.
They dont just test security features in Office, he says, but regular features and functions in the applications as well. With Office Clippy, for example, you dont think of him as a security feature. But we had tragic [security] issues with him, Gallagher says.
Gallaghers first gig with Microsoft was a penetration-testing job he landed in 1999, after conducting his first real hack for a mom-and-pop ISP operating out of a New Orleans residence. I started asking for information about how their security stuff worked, and asked if I could break in [to the network], Gallagher recalls. And the husband [partner] said yeah, sure, but whatever you find, come back and tell me.
A few days later, Gallagher showed the ISP operators how he had broken into multiple accounts, and they hired him. Back then, you kind of kept your mouth shut if you knew about security problems, he says. We didnt really understand why we were finding those types of issues.
Gallagher still likes breaking into things, and says fuzzing is a big area of focus for his team. Fuzzing is a major concern for us and were invested heavily in this area... Its an easy area for attackers to quickly start testing, Gallagher says. Our job is to find the bugs first and make their return on investment low.
Many of the security fixes in Office 2003 Service Pack 3 were a direct result of his teams fuzzing with its botnet. LeBlanc says his job on the Microsoft Office security team is to teach developers how to create secure features, rather than security features. We teach people how to do the right thing in the first place, he says.
LeBlanc says he looks for ways to leverage new Windows features within Office, such as user access control, for instance. Hes currently working on the next version of Office, 14, although he cant divulge details on what it will include. He did, however, hint at stronger encryption.
Offices cryptography traditionally has not been its strongest feature, he says. So I took it on as a goal to get Office cryptography up to solid modern standards. We shipped very good cryptography in Office 2007 and were going to continue to build on that. We want to get good AES encryption, LeBlanc says.
One goal is to ensure Office can get the full benefits of Vistas cryptographic features, says LeBlanc, whose first job at Microsoft in 1999 was also as an internal hacker. (I used to run around and hack into everything at Microsoft, he says).
Meanwhile, LeBlanc and Gallagher express slightly different sentiments about XPs retirement. LeBlanc is ready to move on: As a developer, Im looking forward to the time when I dont have to support XP because theres so much cool stuff in Vista that I can use. The less often I have to write code that works a little differently on two different operating systems, the happier I am, LeBlanc says.
But Gallagher has mixed emotions. I have mixed feelings about XPs retirement, Gallagher says. Vista ups the bar a bit -- especially with things like ASLR and NX. For example, I was investigating a bug last week that would have been easy to exploit if ASLR [Address Space Layer Randomization] and NX werent there. Vistas protections arent a panacea, but they do stop things and make others more difficult.
(LeBlanc): It bugs me that you can never achieve perfection. The threat scenario changes over the lifecycle and you cant predict threats five years down the road.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.