[qubex]

Yes I wrote a fuzzer once and was one of the guys that independently discovered the ancient NT 4.0 SP6 ”named pipe” vulnerability. I just tend to think that crashing on unexpected stuff is more sensible than any alternative (a kind of deny-by-default).

[Someone]

yes, it is, but I think you’ll agree that, without knowing what particularly defines the unexpected it is hard to tell whether it really is crashing on all unexpected stuff or crashing on most, and running the attacker’s code on other.

That’s what should make people worried a bit.

As to fuzzing: given the complexity of the code and the frequency at which bugs are found, I would expect Apple to fuzz their font rendering code 24/7. Do bugs still surface because there are that many, because the whole rendering engine changes that often, because of compiler bugs that do not show up in instrumented code, or because they don’t fuzz it themselves that well?

[dfox]

That depends on what is the mechanism that really causes the crash. If the crash on unexpected input is intentional, then all is good. If it is result of some random corruption of something, then you have problem.

Edit: spelling and grammar