Last month over two dozen kernel bugs were published on a security researcher’s blog. Most of them were found using a file system fuzzer, which would create malformed file systems to try to crash each kernel. Not all of the MOKB bugs were file system related though. Some problems were found with Apple Airport drivers, Netgear wireless drivers, and Broadcom wireless drivers. Although, now more vulnerabilities are known that could be exploited, this fuzzing approach does improve the overall stability of software available to consumers.
What I wonder, though, is why don’t these big company engineering teams have a process to find all these bugs before the software is put into production? The same free fuzzing tools and techniques are available to the engineers as are available to the underground, so why aren’t they using them as part of their development process at each step along the way? They actually have the source code… so it should be easier!
Big companies have been cutting corners in development, and especially testing, in order to turn a bigger quicker profit for their shareholders. Then, the vulnerabilities always come back to bite them and the consumer who gets exploited.
Eventually, maybe hundreds of years from now, all code will be open source and properly tested. People will realize that it is the only way to have secure software, and better processess will be put in place to ensure stable code. Until then, MO_B’s (Month of ___ Bugs) will be one of the only checks and balances upon the undertested software products being released today. Love them or hate them, security researchers that find these flaws are doing the work that the engineering teams should have done pre-release.