Skip to Content
MIT Technology Review
  • Featured
  • Topics
  • Newsletters
  • Events
  • Podcasts
    • Sign in

    Fuzzing Snags a Serious Flaw in Windows

    Vulnerability hunters increasingly rely on “fuzzing”, a technique that tries to break programs with pseudo-random inputs.
    September 10, 2009

    Severe security bugs are getting harder to find, especially is gigantic pieces of software such as the Windows operating systems. Microsoft has spent millions attempting to defeat bugs, and arguably leads developers in secure software programming practices by vetting new code with automated analysis programs and by retraining all its developers in secure coding practices.

    Yet, occasionally serious security flaws still slip through.

    This week, that is exactly what happened when an independent security researcher revealed some details of a vulnerability in the Windows code that handles file and printer sharing, known as the server message block (SMB) protocol. The researcher, Laurent Gaffié, found the flaw using a technique known as “fuzzing” that tries to break a program by inputing random, but structured, data.

    Gaffié focused on the latest version of the code, known as SMB version 2, which is only included in Windows Vista and later versions of the Windows operating system. Finding the vulnerability was much easier than expected, he says. “It took exactly 15 packets (of data) and 3 seconds before SMBv2 got smacked,” Gaffié says. The researcher has spent the last year studying the Microsoft communications protocols, looking for weaknesses.

    Microsoft acknowledged the existence of the vulnerability in an advisory on Tuesday. The flaw only exists in Windows Vista and in older versions of Windows Server 2008 and Windows 7, the company says. Moreover, Microsoft was already aware of the issue and had fixed it in the Windows Server 2008 and Windows 7, a spokesperson says.

    “We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer) and Windows Server 2008 R2,” the spokesperson says. “We’re working to develop a security update for Windows Vista, Windows Server 2008 and Windows 7 RC.”

    Last month, another researcher revealed a flaw in the code that handles short message service (SMS) data on Apple’s iPhone. He also found the vulnerability through fuzzing.

    Keep Reading

    Most Popular

    images created by Google Imagen
    images created by Google Imagen

    The dark secret behind those cute AI-generated animal images

    Google Brain has revealed its own image-making AI, called Imagen. But don't expect to see anything that isn't wholesome.

    biomass with Charm mobile unit in background
    biomass with Charm mobile unit in background

    Inside Charm Industrial’s big bet on corn stalks for carbon removal

    The startup used plant matter and bio-oil to sequester thousands of tons of carbon. The question now is how reliable, scalable, and economical this approach will prove.

    AGI is just chatter for now concept
    AGI is just chatter for now concept

    The hype around DeepMind’s new AI model misses what’s actually cool about it

    Some worry that the chatter about these tools is doing the whole field a disservice.

    Peter Reinhardt
    Peter Reinhardt

    How Charm Industrial hopes to use crops to cut steel emissions

    The startup believes its bio-oil, once converted into syngas, could help clean up the dirtiest industrial sector.

    Stay connected

    Illustration by Rose WongIllustration by Rose Wong

    Get the latest updates from
    MIT Technology Review

    Discover special offers, top stories, upcoming events, and more.

    Thank you for submitting your email!

    Explore more newsletters

    It looks like something went wrong.

    We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.