Microsoft Office Security Team Enlists Bots, Pen Tests

July 17, 2008 – 3:01 PM

Storm, Srizbi, and… Microsoft? Microsoft’s Office application security team actually runs its own internal botnet, which, among other things, “fuzzes” for vulnerabilities in Office applications.

Microsoft’s botnet isn’t anywhere near the size of Srizbi (over 300,000 bots at last count) nor any of the other mega-botnets — it’s just a couple of thousand machines located in Microsoft’s automation lab. But Tom Gallagher, senior security test lead for Microsoft Office, says the internal botnet is a key tool in rooting out new vulnerabilities in Office by simulating the wildly popular fuzzing technique used by attackers.

“We instruct the machines to perform various types of manipulations to a well formed ‘good’ Office document,” Gallagher says. The Office security team typically targets memory-corruption bugs in the software like buffer overruns, integer overruns, and format strings, says Gallagher, who notes that the botnet is also used to test out features in the software.

This hack-it-yourself strategy has become the norm for the Office security team, which aside from its fuzzing botnet also regularly conducts penetration testing on its Office code and apps. Gallagher, 31, and senior software development engineer David LeBlanc, 47, lead a team that hacks at the applications regularly — and then feeds its findings to the Office application developers.


You must be logged in to post a comment.