Came across an article, it is about the new BadWinmail vulnerability in Outlook. Being a closed-source software, how do researchers manage to point out that Outlook is not sandboxing the flash?
Is it possible to view the source code by any reverse engineering methods or they concluded the result based on hints that they picked around?
There are a several ways I'm aware of.
You can technically "view the source" of executables by using tools such as IDA Pro. or OllyDbg. Assembly knowledge is required! Stack Exchange also has a Reverse Engineering site you're interested.
You can test input fields for common vulnerabilities.
You can make a fake client/server to receive information from a program / API, and log what is being sent and received over the network, then try to send back malformed data with typical buffer overflow attacks.
Using an automated testing platform. I do not have any opinion on these.
Since you mentioned flash, it's no problem to "decompile" that. Flash submission data is also sent over the browser's request forms, so using a tool like TamperData will allow you to modify what is being sent. In many cases, you can edit your score in a flash game.
A little bit of digging shows that the discoverer of the BadWinmail vulnerability is Haifei Li, who appears to be a researcher for the security / anti-virus company McAfee, judging by those blog posts, it looks like he specializes in Flash and Microsoft Office.
You can bet that a company like McAfee has special agreements with Microsoft which gives them some sort of access to the source code or special testing environments in exchange for telling Microsoft about any vulnerabilities before going public with them.
Also, most veteran security researchers are very good at reading raw assembly code, so having an .exe is just as good as having access to the original source code.
