This image from Charlie Miller’s CanSecWest presentation (credit InfoSec Events) shows how a small home-brewed fuzzing tool found multiple exploitable vulnerabilities in Apple’s Preview, Microsoft’s PowerPoint and OpenOffice. At the Pwn2Own contest, all the vulnerabilities used in the winning exploits were found via fuzz testing, a technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails, the crashes can point to software defects and vulnerabilities. It is clear that software vendors — even the big ones that already do internal fuzzing — must do a better job of fuzzing to kill as many bugs as possible before software products hit the market.
Scenes from this year’s hacking conference in Las Vegas, Nev. include a keynote by General Keith
Pwn2Own, Pwnium Attract Dollars and 0-Days by the BushelGroundbreaking Cyber Fast Track Research Program EndingAt Pwn2Own, Browser Exploits Gett
Ryan McGeehan, the director of incident response at Facebook and Chad Greene, the manager of the Facebook CERT on Thursday both explained how the social network has planned red team exercises in the past to prepare the company’s security team for a real attack.