Under The Kimono Of Office Security Engineering presented at CanSecWest 2010

by Tom Gallagher ( Microsoft ), David Conger ( Microsoft ),

Summary : Tom and David from the Microsoft Office team presented that large and coordinated effort Microsoft is making to improve the security of Microsoft Office 2010.

As was proven by Peter Vreugdenhil, DEP is not fool-proof, and this is why the work that Tom and David do is so important. They discussed a distributed, programmable fuzzer they wrote to discover bugs in Office. Office must process more than 300 different filetypes, and during their investigations they found and fixed more than 1800 bugs in Office 2010 alone.

Their work has resulted in the development of the new Gatekeeper and FileBlock technologies to protect Office users from potentially malicious files. To recruit machines for their "fuzzer botnet" they made sure to enlist managers at Microsoft who often have the coolest, fastest gear and use it the least .

Tom Gallagher: Tom Gallagher is the lead of the Microsoft Office Security Test team, where he focuses on penetration testing, writing security testing tools, and providing security education.

David Conger: David Conger is currently a writer and programmer for the Microsoft Windows Mobile Internet Toolkit in Seattle. He has also written and maintained the Microsoft Platform Software Development Kit (PSDK), a primary source of content for the Microsoft Developers Network (MSDN). Beyond his work on these projects, David has been a software engineer for Microsoft Interactive TV and American Laser Games Corporation. He is an experienced programmer in C (17 years) and C++ (8 years), Visual Basic, and C#. David has also taught computer programming at the University of Washington and written computer textbooks geared for teaching technology students the fundamentals of software development, including Fundamentals of Microcomputers for Technology Students, C++ Software Development for Technology Students, and C Software Development for Technology Students, all for Prentice Hall.