Microsoft explains how it missed critical IE bug
Programmers and testing tools overlooked years-old bug, admits company's secure code expert, but Vista's 'Protected Mode' worked
Computerworld - Microsoft Corp.'s developers missed a critical bug in Internet Explorer because they weren't properly trained and didn't have the right testing tools, a noted proponent of the company's secure code development process acknowledged last week.
The bug, which Microsoft patched last week with an emergency update, had gone undetected for at least nine years.
In an insider's description on Microsoft's Security Development Lifecycle blog, Michael Howard, a principal security program manager at the company, offered a postmortem analysis of the IE vulnerability and Microsoft's code-writing and reviewing process.
Howard, who is perhaps best known for co-authoring the book Writing Secure Code, said the flaw was a "time-of-check-time-of-use" bug in how IE releases data binding objects.
The vulnerability was not found by programmers because they had not been told or taught to look for them in such cases, Howard said. "Memory-related [time-of-check-time-of-use, or TOCTOU] bugs are hard to find through code review," he said. "We teach TOCTOU issues, and we teach memory corruption issues, and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues."
Microsoft's testing tools -- including "fuzzers," which are automated tools that drop data into applications, file formats or operating system components to see if and where they fail -- also missed the bug, Howard acknowledged.
"In theory, fuzz testing could find this bug, but today there is no fuzz test case for this code," he said. "Triggering the bug would require a fuzzing tool that builds data streams with multiple data binding constructs with the same identifier. Random (or dumb) fuzzing payloads of this data type would probably not trigger the bug, however."
Howard said Microsoft would update its developer training to account for memory-related TOCTOU bugs like this one.
Several parts of Windows' security tool kit didn't help protect users from exploits of this bug, Howard added, including ALSR and NX, technologies available only in Windows Vista and Windows Server 2008. "Even though Windows Vista and Windows Server 2008 have both ASLR and NX enabled by default, Internet Explorer 7 does not opt-in to these defenses owing to compatibility issues with many common applications," Howard noted.
Before Microsoft released last week's patch, and after it had confirmed that attacks were in progress, it urged users to take countermeasures, including enabling DEP (data execution prevention), another term for NX, in IE7.
Another Microsoft defense, however, did protect users running Vista or Server 2008, said Howard, who argued that "Protected Mode" did its job. Protected Mode essentially "sandboxes" IE and its add-ons so that actions taken within the browser are prevented from accessing the operating system generally.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts