Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/17/2008
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Office Security Team Enlists Bots, Pen Tests

Office security gurus Tom Gallagher and David LeBlanc talk fuzzing, in-house hacking, Clippy, and why they'll miss XP (or not)

Storm, Srizbi, and... Microsoft? Microsoft’s Office application security team actually runs its own internal botnet, which, among other things, “fuzzes” for vulnerabilities in Office applications.

Microsoft’s botnet isn’t anywhere near the size of Srizbi (over 300,000 bots at last count) nor any of the other mega-botnets -- it’s just a couple of thousand machines located in Microsoft’s automation lab. But Tom Gallagher, senior security test lead for Microsoft Office, says the internal botnet is a key tool in rooting out new vulnerabilities in Office by simulating the wildly popular fuzzing technique used by attackers.

“We instruct the machines to perform various types of manipulations to a well formed ‘good’ Office document,” Gallagher says. The Office security team typically targets memory-corruption bugs in the software like buffer overruns, integer overruns, and format strings, says Gallagher, who notes that the botnet is also used to test out features in the software.

This hack-it-yourself strategy has become the norm for the Office security team, which aside from its fuzzing botnet also regularly conducts penetration testing on its Office code and apps. Gallagher, 31, and senior software development engineer David LeBlanc, 47, lead a team that hacks at the applications regularly -- and then feeds its findings to the Office application developers.

“If we think ‘this is a risky area’ the product team would need help with, we try to break in like a hacker would. Since the inception of our security team, we’ve tried to operate as if the attackers were coming for us. It so happens that they [the attackers] weren’t too successful with that until recently,” Gallagher says.

They don’t just test security features in Office, he says, but regular features and functions in the applications as well. “With Office Clippy, for example, you don’t think of him as a security feature. But we had tragic [security] issues with him,” Gallagher says.

Gallagher’s first gig with Microsoft was a penetration-testing job he landed in 1999, after conducting his first real hack for a mom-and-pop ISP operating out of a New Orleans residence. “I started asking for information about how their security stuff worked, and asked if I could break in [to the network],” Gallagher recalls. “And the husband [partner] said ‘yeah, sure, but whatever you find, come back and tell me.’”

A few days later, Gallagher showed the ISP operators how he had broken into multiple accounts, and they hired him. Back then, “you kind of kept your mouth shut if you knew about security problems,” he says. “We didn’t really understand why we were finding those types of issues.”

Gallagher still likes breaking into things, and says fuzzing is a big area of focus for his team. “Fuzzing is a major concern for us and we’re invested heavily in this area... It’s an easy area for attackers to quickly start testing,” Gallagher says. “Our job is to find the bugs first and make their return on investment low.”

Many of the security fixes in Office 2003 Service Pack 3 were a direct result of his team’s fuzzing with its botnet. LeBlanc says his job on the Microsoft Office security team is to teach developers how to create secure features, rather than security features. “We teach people how to do the right thing in the first place,” he says.

LeBlanc says he looks for ways to leverage new Windows features within Office, such as user access control, for instance. He’s currently working on the next version of Office, 14, although he can’t divulge details on what it will include. He did, however, hint at stronger encryption.

Office’s cryptography traditionally has not been its strongest feature, he says. “So I took it on as a goal to get Office cryptography up to solid modern standards. We shipped very good cryptography in Office 2007 and we’re going to continue to build on that. We want to get good AES encryption,” LeBlanc says.

One goal is to ensure Office can get the full benefits of Vista’s cryptographic features, says LeBlanc, whose first job at Microsoft in 1999 was also as an internal hacker. (“I used to run around and hack into everything at Microsoft,” he says).

Meanwhile, LeBlanc and Gallagher express slightly different sentiments about XP’s retirement. LeBlanc is ready to move on: “As a developer, I’m looking forward to the time when I don’t have to support XP because there’s so much cool stuff in Vista that I can use. The less often I have to write code that works a little differently on two different operating systems, the happier I am,” LeBlanc says.

But Gallagher has mixed emotions. “I have mixed feelings about” XP’s retirement, Gallagher says. “Vista ups the bar a bit -- especially with things like ASLR and NX. For example, I was investigating a bug last week that would have been easy to exploit if ASLR [Address Space Layer Randomization] and NX weren’t there. Vista’s protections aren’t a panacea, but they do stop things and make others more difficult.”

Personality Bytes

  • Why security patches “bite:” (Gallagher): “I don’t like patches. It’s a sad day when we got those vuln reports in. But we do understand that we’re not perfect… we’re going to make it significantly difficult for people to find vulnerabilities, but some people will continue to find bugs here and there.”

    (LeBlanc): “It bugs me that you can never achieve perfection. The threat scenario changes over the lifecycle and you can’t predict threats five years down the road.”

  • Life after Bill: (Gallagher): “Bill may reduce his time at Microsoft, but his imprint on the company will never diminish. It will continue to be reflected in everything we do. We’ll continue his tradition of thinking big and executing even bigger. Of hiring the best and the brightest and letting them do their best work; and of setting the standard of great software that really improves people’s lives around the world. That has been Bill’s passion, and will continue to be Steve’s passion, the passion of our technical leaders and of the entire company.”

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/9/2020
    Introducing 'Secure Access Service Edge'
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
    Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
    Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15001
    PUBLISHED: 2020-07-09
    An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
    CVE-2020-15092
    PUBLISHED: 2020-07-09
    In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
    CVE-2020-15093
    PUBLISHED: 2020-07-09
    The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
    CVE-2020-15299
    PUBLISHED: 2020-07-09
    A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
    CVE-2020-4173
    PUBLISHED: 2020-07-09
    IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...