Saturday, January 27, 2007

Fuzzing shouldn't work!

After the Month of Browser Bugs ended in August 2006, I imagined that browser fuzzing will be over soon. The widespread awareness of this technique and the release of multiple HTML and ActiveX fuzzers were going to help eradicate all easily-found bugs. Vendors were going to incorporate fuzzing in their QA process, and I expected that running a fuzzer in 2007 would be pointless.

It turns out that I was wrong. After the release of Vista, I ran a very simple ActiveX fuzzer against it and only a few minutes later I hit a NULL pointer dereference bug in Internet Explorer. You can read the full advisory at our security research site.

The ActiveX fuzzer I used was extremely simple - it instantiated each available ActiveX control and accessed all its properties. It didn't even have to send any malformed data or long strings, just accessing the ActiveX object was enough to crash the browser. Something this simple isn't supposed to work!

I agree with Microsoft's assessment of the bug as something that's probably not worth fixing in a security update, but the fact stands: this is a bug that should have been found and fixed very early in the development cycle. Maybe next time they'll do better.

Labels: ,


At 11:13 PM, Blogger butlimous said...
Thanks for the nice post!  

Post a Comment

<< back