Members of Microsoft's Security Science team released the tool on Friday at the CanSecWest security conference in Toronto. !exploitable sorts out whether bugs that cause crashes during development and testing have security implications, and whether an attacker could exploit them.
"The problem with fuzzers is that they find too many bugs -- not just the exploitable ones," says HD Moore, creator of the popular Metasploit hacking tool and director of security for BreakingPoint Systems. "It seems like a great way to focus on the bugs which look promising, in a way that is less susceptible to human error. It would be a great first test for any new crash, and allows the researchers to focus only on the bugs that have a good chance of being exploited."
!exploitable is Microsoft's latest freebie tool for developers. The software giant in September released a free Threat Modeling Tool as part of its effort to open up its internal Security Development Lifecycle (SDL) framework to third-party application developers and customers in the spirit of promoting more secure software. At the time, Steve Lipner, Microsoft's senior director of security engineering strategy for the Trustworthy Computing Group, said Microsoft would continue to promote the development of secure software in the industry.
In August 2008, Microsoft announced it would share its vulnerability research finds with third-party developers for Windows and help them fix flaws in their software.
!exploitable handles crash analysis for developers and testers, which traditionally had been the domain of a security expert, according to Microsoft. It identifies the actual issues that cause an application to crash. Microsoft expects third-party developers and testers, as well as security researchers, to use its tool.
Developers typically are faced with numerous bugs during the development process; Microsoft's !exploitable tool sorts out the truly dangerous ones for them. Metasploit's Moore, who hopes to get a chance to test the tool soon, says researchers who have used it so far have reported that the tool "errs on the side of 'exploitable,'" so it's "not too accurate yet."
He also notes that !exploitable could be used in tandem with the Metasploit-related Windows-native debugging tool called Byakugan (PDF). "The Microsoft plug-in tries to determine whether something is exploitable based on the exception, and the Metasploit one tries to help you write the actual exploit," Moore says. "So theoretically you would start off with !exploitable, and then load Byakugan to write the [exploit] module."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message