Reports suggest that Microsoft has discovered over 1800 bugs in Office 2010 using the new system, which it calls the Distributed Fuzzing Framework.
Fuzz testing involves sending streams of data to the part of a software application that processes file formats and network communication protocols. Hackers and malware writers have increasingly learned how to destabilize software by throwing unexpected files and malformed network communications at it. This can cause the software to crash, and occasionally place it into a vulnerable state, enabling it to be manipulated by attackers.
"The more iterations that you do, the more bugs you'll be able to find, and this distributed system has enabled us to do many more iterations because we're using lots of different machines," said Tom Gallagher, lead of the Microsoft Office Security team.
Gallagher cohosted a presentation on the Distributed Fuzzing Framework at the CanSecWest security conference in Vancouver last week. He emphasized that while Microsoft found 1800 bugs or more, not all of these constitute security threats.
Given the success that Microsoft has experienced with hardening Office 2010 using the fuzzing system, it is now making the system available to other teams within the company.
"We make it easy for teams to choose a fuzzer from a list, and automatically, the system deploys a fuzzer on the machines," said David Conger, a software development engineer in the Access database team at Microsoft, who built the Distributed Fuzzing Framework.