Patch/Configuration Management, Vulnerability Management

Malicious users warm to ‘fuzzing’

Tools used by software developers to test for faulty design are now being employed by hackers to discover unknown vulnerabilities, a security firm warned today.

Artificial Intelligence (AI) tools are designed to mimic human intelligence by trying to force abnormal responses in applications to determine if bugs are present.

But this methodology, known as "fuzzing," is also being widely used by hackers, who are sharing their findings with the underground malicious community in instant relay chat rooms "to rapidly develop new threats," according to a news release from Secure Computing that was released today.

Company officials said in the statement that as more and more exploits emerge, vendors will have difficulty pushing out timely fixes.

"Fuzzing will clearly accelerate the ability for hackers to discover new vulnerabilities in software applications," said Paul Henry, vice president of strategic accounts for Secure Computing. "Software vendors were already struggling to keep up with patches for software bugs. The use of fuzzing tools by hackers and the flood of newly discovered vulnerabilities may overwhelm software vendors' ability to respond with patches."

The power of fuzzing tools was brought to the forefront this month by security researcher and Metasploit creator H.D. Moore. He has pledged to publish information about a new web browser each day during July.

But Moore, who is calling the initiative the "Month of Browser Bugs" project, said the 31 flaw details will not lead hackers to exploit code.

"The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution," he said in a blog posting.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.