Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Researchers question Vista security after ANI exploit

The flaw affected every version of Windows

April 6, 2007 12:00 PM ET

Computerworld - Microsoft Corp.'s failure to spot the animated cursor bug in Windows Vista is, at best, a flag to hackers that old flaws may abound in the new operating system, researchers said today. At worst, it's a disconcerting sign that Vista's security-oriented development process slipped up.

This week, Microsoft issued an out-of-cycle fix for a vulnerability that's been exploited since at least March 28 by hackers armed with malicious .ani files. Every supported version of Windows contained the bug, including Vista.

The fact that Vista was affected rang alarm bells with security researchers, who recalled that an update more than two years ago addressed the same section of Windows code. That bug, fixed by the MS05-002 patch, also involved animated cursors and icon files, and updated the User32.dll file. That file was also replaced in this week's MS07-017 update.

Earlier this week, Mark Miller, director of the Microsoft Security Response Center, acknowledged that the failure to spot the new ANI bug when developers reviewed the vulnerable code in 2005 was a breakdown. "We're doing an analysis of why we didn't find it then," Miller said.

Security researchers weren't so kind.

"You have to take some points away from Microsoft for not catching this," said Amol Sarwate, manager of Qualys Inc. "The No. 1 step before trying to find new vulnerabilities in [something like Vista] is to test older ones, or exploit variants against older vulnerabilities."

Oliver Friedrichs, director of Symantec Corp.'s security response team, agreed. "Given the investment it's made and SDL [Microsoft's Security Development Lifecycle], we would have hoped Microsoft had found this then," said Friedrichs. "I'd call it 'somewhat of a failure,' because frankly, these vulnerabilities are very, very difficult to find. Vulnerability research is more of an art, less of a science."

Microsoft hasn't made it a secret that it recycled old code when creating Windows Vista. Starting from scratch in every instance, said Friedrichs, would have been "simply impossible." But Microsoft has heavily publicized the SDL process it used to craft Vista, and how in earlier products, such as SQL Server 2005, SDL drastically reduced the number of bugs. As part of the SDL process, developers are to conduct one or more security code reviews.

"They are a crucial step in the process of removing security vulnerabilities from software during the development process," Microsoft said in a posted outline of SDL.

But for some, Vista's security promise met reality with the ANI bug.

"I wouldn't say that SDL is a total failure, but if we keep seeing newer vulnerabilities and ones based on older flaws, then I would have to question the entire process," said Sarwate. "At the least, it definitely opens the door to hackers to go back and look in older vulnerabilities and try exploits of those on Vista."



Jump to comments

Microsoft

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

What People Are Saying

White Papers & Webcasts

Share our Strength
Download Now  

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...