Among the ways the Office team is trying to get a step on attackers, said LeBlanc, is with stepped up fuzzing. He pointed to a presentation at last month's Black Hat security conference that described using generic algorithms to cover more code during fuzzing, a technique he said Microsoft had been working on for a couple of years.
"Right now, the technique is only able to exercise relatively simple network protocols, like HTML, which is a lot simpler than a Word document," said LeBlanc. "Given five years, will attackers figure out a way to scale that? Our job is to figure out if they will so we can protect our customers for the life of the product."
Even the most diligent efforts, however, won't find every flaw, LeBlanc admitted. "One of the problems with fuzzing is it's really hard to say when you're done. Have you exercised the code sufficiently?"
A good example of something testing didn't spot during Office 2007's development -- not to mention the even earlier work on Office 2003 -- was the bug in Excel's file format disclosed by the July security bulletin MS07-036. The vulnerability, which existed across the Office line, from version 2000 to 2007, was, said the bulletin, "in the way Excel handles malformed Excel files." It was the first bug in a core Office 2007 application's file format.
"Something slipped through the cracks," LeBlanc acknowledged after looking over the MS07-036 advisory. "We like to stop these things, and overall I think we did a pretty good job fuzzing Office 2007. This is the first one. It's kind of an example of why we need to continue to get smarter and apply more horsepower to this particular problem."
Bottom line, he said, is that the developers working on Office know they have to crank it up a notch. "We're going to be continuing to push the envelope to find new ways to make the product as secure as possible," LeBlanc said. "We need to get way, way out in front of those guys."