Researcher Charlie Miller has one message for software vendors: Fuzz your software.
In a fuzzing project over several three-week periods, Miller, principal security analyst at Baltimore-based Independent Security Evaluators, discovered dozens of vulnerabilities in products developed by Apple, Microsoft and Adobe Systems Inc. Miller fuzzed PDFs to identify vulnerabilities in Adobe Acrobat Reader and Apple Preview. He then fuzzed PowerPoint files to examine OpenOffice Impress and Microsoft PowerPoint.
"Depending on what was going on in the house, I had five to eight computers fuzzing at a time," Miller said.
Miller explained his findings and shared his fuzz testing technique to attendees at the CanSecWest Applied Security Conference Thursday. He found that after examining 3 million PDF files, Adobe Acrobat had between three to 10 possible exploitable files. Apple Preview, a PDF reader, had 30 to 60 exploitable files. OpenOffice PowerPoint had 10-12 exploitable files and Microsoft PowerPoint had 6-30 exploitable files,
Miller said he doesn't plan to go public with the zero-day vulnerabilities. He demonstrated one of his vulnerabilities -- exploiting a hole in Apple Safari running on Mac OS X -- at the TippingPoint DVLabs Zero-day Initiative Pwn2Own contest this week, earning him a $10,000 cash prize. He said he hopes his findings help force software vendors to better test and patch their products.
"They clearly didn't fuzz it," he said of the estimated 20 vulnerabilities that he believes are exploitable in Apple Preview, flaws which can also be exploited in Safari.
Miller said his technique is an extensive form of dumb fuzzing. It uses five lines of Python code and can be left alone as it tests hundreds of thousands of files, and records any crashes it discovers. Fuzz millions of files and eventually you can fuzz all of the features in the software that runs it, he said.
"My idea is that if I find enough Word documents, I'll find a Word document for every feature that Word documents can have," Miller said.
His fuzzing technique can find a number of different kinds of flaws. Some may be very minor bugs that can't be used by attackers. Others can be critical buffer overflows and other memory errors which are valuable commodities in the hacking community.
Miller said he used four tools to conduct analysis and verify exploitable bugs: Libgmalloc, a tool that examines the crash findings for heap overflow conditions; Crashwrangler, which looks for bin crashes; Memcheck, which also identifies memory errors; and !exploitable, a tool that estimates whether vulnerabilities are exploitable.