IT Security Blog

  • Home
  • About IT Security Blog
  • IT Security Basics
  • Real-World Issues
  • Network Security
  • News
  • Malware
  • Tips
  • Spyware

Fuzzing: What Is It?

24 September 2010 By Saran

A computer (credit: http://www.flickr.com/photos/amagill/

Fuzz testing may sound like a term far removed from the IT world, but fuzzing is a good way of discovering weaknesses in a network, application or server before others do. Fuzzing involves bombarding a program with randomly generated data to see if it’ll withstand the overload. If it fails, either by crashing or not executing a specific code, then there’s a defect you need to find and correct. Hackers can use fuzzing to find what bugs exist in an application, for example, a web browser, and then create specific code to exploit the application’s weaknesses. But if these bugs are discovered before they can be exploited then a way can be found to fix these exploitable bugs.

Testers can use fuzz testing to find out if the current software being used have easily exploitable vulnerabilities. It is probably the closest approximate to a real-world situation when data coming into a system or application doesn’t always follow validation rules. While fuzzing, testers keep a record of all the data they create, so it’s easy can keep track of what specifically caused any errors. It’s also relatively cheap to perform fuzz testing, and it can be used to compare the security of different programs and operating systems. Open source fuzzing tools and tests for different applications and systems are now available online. Though fuzzing doesn’t guarantee to find every error-producing event and bug that can occur on your system, it does give an idea of where intruders might try to attack. Errors like buffer overruns and attacks on cross-site scripting can be prevented by fuzz testing.

[tags]fuzzing,bugs,buffers,phishing,pharming,software,errors,intruders[/tags]

Filed Under: IT Security Basics, Tips Tagged With: buffers, bugs, errors, fuzzing, intruders, IT Security Basics, pharming, phishing, software, Tips

Windows 7 Hit By Zero-Day Exploit

13 November 2009 By Saran

windows_7_previewWindows 7 fans were rejoicing when Microsoft released a patch on Tuesday because their system was not affected in any way by the six security issues. The rejoicing was short-lived, however, as news has been released that there IS a bug that can crash a Windows 7 system. The bug has been named Zero-Day Exploit and was discovered by Laurent Gaffie.

PC World provides further details:

The issue is in the SMB (Server Message Block) protocol that forms the backbone of Windows file sharing. When triggered, the flaw results in an infinite loop which renders the computer useless.

Tyler Reguly, Lead Security Research Engineer with nCircle, explains “Exploitation of this vulnerability occurs when a user attempts to browse to Windows Share hosted on the malicious server. On Windows 7, the DoS (denial of service) will occur as soon as you type ‘\\\’ in the search box. ” The vulnerability actually impacts both Windows 7 and Windows Server 2008 R2.

While the threat is very much real, experts say that the chances of the bug being exploited are quite low:

There are currently a couple different proof-of-concept exploits circulating, but there are no reported attacks in the wild at this point. Because the flaw only enables an attacker to crash the system, and doesn’t provide any unauthorized remote access that could lead to compromising information or performing other malicious activities, the odds of the exploit being actively used by attackers is fairly slim.

So what are Windows 7 users supposed to do now? Currently, Microsoft has not yet released a patch to deal with the threat. I suppose the only sensible thing to do is to be more careful with regard to visiting web sites, especially if you are unsure of its legitimacy.

Photo courtesy of Megaleecher

Filed Under: Operating Systems Tagged With: bugs, Exploits, Operating Systems, Windows 7

Categories

  • Backups
  • Cryptography
  • E-mail
  • Firefox
  • General
  • Google Chrome
  • IM
  • Instant Messaging
  • IT Security Basics
  • Malware
  • Network Security
  • News
  • Operating Systems
  • Physical Security
  • Privacy & Anonymity
  • Programming
  • Real-World Issues
  • Review
  • Security Policies
  • Spyware
  • Storage
  • Tips
  • Web browsers
  • Wireless Security