Respect The Fuzzer

This image from Charlie Miller’s CanSecWest presentation (credit InfoSec Events) shows how a small home-brewed fuzzing tool found multiple exploitable vulnerabilities in Apple’s Preview, Microsoft’s PowerPoint and OpenOffice.   At the Pwn2Own contest, all the vulnerabilities used in the winning exploits were found via fuzz testing, a technique that provides invalid, unexpected, or random data to the inputs of a program.

This image from Charlie Miller’s CanSecWest presentation (credit InfoSec Events) shows how a small home-brewed fuzzing tool found multiple exploitable vulnerabilities in Apple’s Preview, Microsoft’s PowerPoint and OpenOffice.   At the Pwn2Own contest, all the vulnerabilities used in the winning exploits were found via fuzz testing, a technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails, the crashes can point to software defects and vulnerabilities.  It is clear that software vendors — even the big ones that already do internal fuzzing — must do a better job of fuzzing to kill as many bugs as possible before software products hit the market.

Suggested articles

2020 Cybersecurity Trends to Watch

Mobile becomes a prime phishing attack vector, hackers will increasingly employ machine learning in attacks and cloud will increasingly be seen as fertile ground for compromise.

Top Mobile Security Stories of 2019

Cybercrime increasingly went mobile in 2019, with everything from Apple iPhone jailbreaks and rogue Android apps to 5G and mobile-first phishing dominating the news coverage. Here are Threatpost’s Top 10 mobile security stories of 2019.