A wave of attacks targeting Microsoft Office 2003 last year taught the company some tough security lessons it is now aggressively applying, a Microsoft software engineer has said.
"When Office 2003 shipped, we thought we'd done some good work and that it would be a secure product," said David LeBlanc, a senior software development engineer with the Office team. "For the first two years after release, it held up really well, only two bulletins. [But] then people shifted their tactics and started finding problems in fairly large numbers."
LeBlanc, one of the proponents of Microsoft's Security Development Lifecycle (SDL) initiative, and Michael Howard, the co-author of Writing Secure Code for Vista, referred to the spate of attacks in 2006 that exploited numerous vulnerabilities in Office 2003's file formats. The suite's core applications, Word, Excel and PowerPoint, were all patched multiple times last year.
"I can't gloss this over. You can look up the security bulletins that apply to Office 2003 yourself,” he said.
The attacks, and the flaws they exposed, not only prompted immediate patches and the release this week of Office 2003 Service Pack 3 (SP3), but pushed Microsoft to step up efforts to track down bugs before shipping code.
"We realised that fuzzing needed to be a much bigger part of what we did," said LeBlanc. "We were already on the road to doing that, but we had to do more of it, and get smarter at it."
"Fuzzing" is a process used by security researchers trolling for vulnerabilities and by developers looking for flaws in their code before it goes public. Armed with fuzzers, automated tools that drop data into applications, file formats or operating system components to see if and where they fail, programmers stress test software. LeBlanc calls it "exercising the code".
Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3.