File fuzzing is the process of providing an application with a lot of different and broken input. While fuzzing is mainly intended to test integrity of files and robustness of applications, it has also changed the way attackers find exploits in applications. Those searching for exploits can essentially “carpet bomb” a product with large volumes of randomly generated tampered data. Therefore, it is no longer sufficient to release a patch resolving a found issue, or even a patch that includes several fixes in the “code locality” of the original vulnerability. In fact, releasing an incomplete patch may even cause more problems for the users, as the release of a bulletin itself may bring the product to the attention of those using fuzzing for malicious reasons. Remaining vulnerabilities may sometimes be found even in a matter of minutes. The task of fixing the individual vulnerabilities in the code is often overwhelming, particularly for applications with a large legacy code base or with older in-market products still under support.
The task of protecting against attacks is also daunting not only because of the sheer numbers involved but because the problems may be widespread. While some singular issues are encountered frequently, there is a long tail of harder-to-nail-down problems. The development time estimates after an analysis of fuzzing type attacks can vary from days to years.