Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Blogs
    • Security Watch

    Microsoft to Fix Development with Lessons Learned from ANI

    By
    Lisa Vaas
    -
    April 27, 2007
    Share
    Facebook
    Twitter
    Linkedin

      After all the work Microsoft did leveraging the Security Development Lifecycle, why didn’t SDL catch the animated cursor vulnerability in Windows Vista?

      According to Adrian Stone at the MSRC (Microsoft Security Response Center), that is a question that he’s still getting regularly—and it’s a good one. “Honestly, that is a fair question and one I asked myself during the investigation, as I was the program manager responsible for the case,” he wrote in a blog entry on April 26.

      As it turns out, Microsoft’s SDL group—which tracks security issues and works on incorporating lessons learned into future development—has just begun a blog, and the first entry is on lessons learned from ANI. Those lessons are leading the company to consider, for example, eliminating at least one call from old (pre-SDL) code that escaped the first round of cuts. Also, it’s already replaced a buffer stack check and has updated its fuzzing tools.

      According to Michael Howard, an architect of the SDL and a senior security program manager in the security engineering group at Microsoft, the company came away with the following lessons.

      “SDL is not perfect, nor will it ever be perfect. We still have work to do, and this bug shows that,” he said.

      The ANI code is “pretty old,” Howard added, predating the SDL itself. In developing Vista, 140,000 calls were changed to safer calls, and certain APIs were banned outright. Memcpy, a function that copies data between two memory locations, wasn’t on that initial list of banned calls, but it may well get tossed soon.

      Howard said his team is investigating the impact on new code of banning the memory handling function.

      “We will pay closer attention to exception handlers that could mask vulnerabilities, and we will investigate the impact of banning memcpy for new code,” he said.

      In fact, memcpy is at the heart of why Microsoft’s static analysis tools didn’t find the .ANI bug. The problem with memcpy is that when it’s used in a call, it makes that code hard to flag as vulnerable without generating a heap of false positives.

      Nobody has managed to solve that problem, either inside or outside of Microsoft. Howard said his group is pondering swapping in a variation of the call—memcpy_s—that requires the developer to insert the destination buffer size. Stay tuned, he said.

      Even some defense-in-depth measures didn’t stop ANI—for example, /GS, a buffer security check. Microsoft has swapped out the -GS pragma, and, because of certain issues of the original -GS, the company is also rethinking the heuristics the compiler uses in handling -GS.

      That won’t happen overnight though. “…Changing the compiler is a long-term task. In the short-term, we have a new compiler pragma that forces the compiler to be much more aggressive, and we will start using this pragma on new code,” Howard said.

      Microsoft is also mulling over what Howard called an “interesting security side effect” of code being wrapped in an exception handler that catches code failures. That’s “usually” good for security, he said, but Vista includes ASLR (address space layout randomization) with the goal of making it harder for an attacker to figure out addresses of critical functions and hence harder to get exploits running correctly.

      “If the vulnerable code is wrapped in an exception handler that catches many errors, a failed attempt will not crash the component and the attacker can try again with a different set of addresses,” he said.

      “Note that by itself the ‘catch everything’ construct is not a security bug, but it can aid an attacker if the exception handler wraps vulnerable code.”

      Microsoft has also found that the .ANI exploit is slipping by without getting noticed by its SAL (Standard Annotation Language), which usually finds “many bugs,” Howard said. It’s doing that by taking a PVOID buffer and hiding its length inside a piece of code that’s passed by reference.

      If SAL could read the buffer length, he said, it would generate alerts about both readable size and a possible stack-based buffer overrun.

      The company has also beefed up its fuzzers in response to the .ANI exploit. Fuzz tests didn’t initially find the .ANI code because none of them had ample “anih” records to do so.

      “This is now addressed, and we are continually enhancing our fuzzing tools to make sure they add manipulations that duplicate arbitrary object elements better,” Howard said.

      The .ANI bug hasn’t been all bad news. Howard points out that malicious exploits were “stopped dead” due to UAC and Protected Mode IE, although exploits could certainly be written that could sneak around those protective mechanisms.

      But hopefully, Microsoft will respond quickly when those exploits are written.

      “Our goals are to code well, catch bugs, and reduce the chance that new bugs enter the code,” Howard said. “We have a set of features in place to catch things the process misses. “We have a learning process and layers of defense in depth because we don’t expect perfect code—ever.”

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×