Researchers question Vista security after ANI exploit

Computerworld - Microsoft Corp.'s failure to spot the animated cursor bug in Windows Vista is, at best, a flag to hackers that old flaws may abound in the new operating system, researchers said today. At worst, it's a disconcerting sign that Vista's security-oriented development process slipped up.

This week, Microsoft issued an out-of-cycle fix for a vulnerability that's been exploited since at least March 28 by hackers armed with malicious .ani files. Every supported version of Windows contained the bug, including Vista.

The fact that Vista was affected rang alarm bells with security researchers, who recalled that an update more than two years ago addressed the same section of Windows code. That bug, fixed by the MS05-002 patch, also involved animated cursors and icon files, and updated the User32.dll file. That file was also replaced in this week's MS07-017 update.

Earlier this week, Mark Miller, director of the Microsoft Security Response Center, acknowledged that the failure to spot the new ANI bug when developers reviewed the vulnerable code in 2005 was a breakdown. "We're doing an analysis of why we didn't find it then," Miller said.

Security researchers weren't so kind.

"You have to take some points away from Microsoft for not catching this," said Amol Sarwate, manager of Qualys Inc. "The No. 1 step before trying to find new vulnerabilities in [something like Vista] is to test older ones, or exploit variants against older vulnerabilities."

Oliver Friedrichs, director of Symantec Corp.'s security response team, agreed. "Given the investment it's made and SDL [Microsoft's Security Development Lifecycle], we would have hoped Microsoft had found this then," said Friedrichs. "I'd call it 'somewhat of a failure,' because frankly, these vulnerabilities are very, very difficult to find. Vulnerability research is more of an art, less of a science."

Microsoft hasn't made it a secret that it recycled old code when creating Windows Vista. Starting from scratch in every instance, said Friedrichs, would have been "simply impossible." But Microsoft has heavily publicized the SDL process it used to craft Vista, and how in earlier products, such as SQL Server 2005, SDL drastically reduced the number of bugs. As part of the SDL process, developers are to conduct one or more security code reviews.

"They are a crucial step in the process of removing security vulnerabilities from software during the development process," Microsoft said in a posted outline of SDL.

But for some, Vista's security promise met reality with the ANI bug.

"I wouldn't say that SDL is a total failure, but if we keep seeing newer vulnerabilities and ones based on older flaws, then I would have to question the entire process," said Sarwate. "At the least, it definitely opens the door to hackers to go back and look in older vulnerabilities and try exploits of those on Vista."