Programmer slip-up produces critical bug, Microsoft admits

Computerworld - Microsoft acknowledged Thursday that one of the critical network vulnerabilities it patched earlier in the week was due to a programming error on its part.

The flaw, one of 34 patched Tuesday in a massive security update, was in the code for SMB 2 (Server Message Block 2), a Microsoft-made network file- and print-sharing protocol that ships with Windows Vista, Windows 7 and Windows Server 2008.

"Look at the two array references to ValidateRoutines[] near the end," said Michael Howard, principal security program manager in Microsoft's security engineering and communications group, referring to a code snippet he showed in a post to the Security Development Lifecycle (SDL) blog. "The array index to both is the wrong variable: pHeader->Command should be pWI->Command."

Howard, who is probably best known for co-authoring Writing Secure Code, went on to say that the error was not only in new code, but a "bug of concern."

The incorrect variable -- "pHeader" instead of "pWI" -- produced a vulnerability that Microsoft rated critical, its highest threat ranking. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," read the MS09-050 security bulletin released Tuesday. Attackers could trigger the bug by sending a rigged SMB packet to an unpatched PC.

As he did in July when he admitted an extra "&" character in a Microsoft code library created a widespread vulnerability in most company software -- and software crafted by third-party developers such as Sun, Cisco and Adobe -- Howard argued that the SMB 2 mistake was virtually impossible to catch without a line-by-line review.

"There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing," said Howard. "The only other method that could find this kind of bug is very slow and painstaking code review. This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Humans are fallible, after all."

Fuzzing -- subjecting software to a wide range of data input to see if, and where, it breaks -- did uncover the bug "very late in the Windows 7 development process," Howard said. Although the preview versions of Windows 7 that Microsoft handed out to the public -- both the beta from January 2009 and the release candidate posted in May -- included the bug, Microsoft caught it in time to patch the RTM, or release to manufacturing, final code that will officially ship next Thursday.

The SMB 2 bug in question was not the one that Microsoft publicized last month in a security advisory. That vulnerability, which received attention because exploit code went public, also affected Windows 7 prior to the RTM build.

Howard also said that he thought Microsoft's SDL process has handled the "low-hanging bugs" in the company's code, leaving what he called "one-off bugs" that are difficult to detect using automated tools.

"The majority of the bugs I see in Windows are one-off bugs that can't be found easily through static analysis or education, which leaves only manual code review, and for some bug classes, fuzz testing," he said. "But fuzz testing is hardly perfect."

Most analysts this week urged Windows users to put the MS09-050 patches on a high-priority list, if only because exploit code for one of the three SMB 2 vulnerabilities was public knowledge. Microsoft echoed that in its monthly deployment recommendations.

This month's security updates, including MS09-050, can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Read more about security in Computerworld's Security Knowledge Center.