Fuzz Testing in Office

We’ve made a few changes in how we develop and test our productivity software that resulted in Office 2010 becoming the most secure version of Microsoft Office yet. In addition to designing Office with potential threats in mind, reviewing programming code for security flaws, and performing penetration testing, Fuzz Testing is another processes used at Microsoft to create more secure software. Some of the other security improvements will be covered in a future post.

There has been a lot of discussion about fuzz testing among security professionals lately, including a recent post from the Computer Emergency Response Team (CERT), A Security Comparison: Microsoft Office vs. Oracle OpenOffice and an article by Dan Kaminsky: Fuzzmarking: Towards Hard Security Metrics For Software Quality?.

Today, we would like to highlight how we approach fuzz testing and file fuzzing in the Office team.

For more information about Office 2010 security see the whitepaper, Keeping Enterprise Data Safe with Microsoft Office 2010 , on the Microsoft Download Center and the Office 2010 Security Resource Center on TechNet.

 File Fuzzing 101

File fuzzing is the process of modifying file formats by feeding random data or “fuzz” into an application and then monitoring how the application responds to the data. This testing procedure is performed both by companies creating software and by attackers developing malware. Companies creating software use the technique to find bugs or problems within their software application and to then help ensure that the application is as secure and stable as possible before making it available to the public. On the other hand, attackers developing malware use file fuzzing or file format attacks to attempt to find and then exploit vulnerability within the application. Once vulnerability is found, the attacker can create a targeted file format attack to try and exploit the vulnerability within the software application.

File format attacks exploit the integrity of a file, and they occur when someone modifies the structure of a file with the intent of adding malicious code. The malicious code provided by the attacker is run as the fuzzed file is opened. As a result, an attacker could gain access to a computer to which they did not previously have access. This unauthorized access could enable an attacker to read sensitive information from the computer’s hard disk drive or install malware, such as a worm or a key logging program.

Fuzz testing and prevention

The Office team used automated distributed file fuzz testing to identify bugs and potential application vulnerabilities during the development of Office 2010. In addition, we continue to test throughout our support lifecycle. As part of our testing efforts, millions of Office files, representing the entire spectrum of over 300 different file formats across the whole Office suite were fuzzed tens of millions of times each week in different ways to try and identify new vulnerabilities in all file formats Microsoft Office opens.

Other mitigations that help against file fuzzing attacks can be used in Microsoft Office 2010, such as Protected View, file block settings, Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and File Validation.

Recently, we also incorporated this file validation technology into an update to Office 2003 and Office 2007. This helps protect users that are not yet using Office 2010 from file fuzzing attacks. We strongly recommend all customers deploy these updates. For more information see the TechNet article, Office File Validation for Office 2003 and Office 2007.