On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

April 27th, 2007

Microsoft mulling major changes to ward off .ANI-type flaws

Posted by Ryan Naraine @ 9:38 am

Categories: Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Security, Flaw, Compiler, Microsoft Windows Vista, Microsoft Windows, Microsoft Corp., Mitigation, Tool, Attack, Ryan Naraine

In Focus » See more posts on: Vista

How did the super-critical animated cursor (.ani) vulnerability get past all the strict code review, fuzz testing and other defense-in-depth mitigations built into Windows Vista?

Michael HowardMichael Howard (left) has the answer and he's sharing it with us in a candid explanation from Microsoft on the lessons learned from the recent zero-day attacks and some planned changes to fix some warts in the SDL (Security Development Lifecycle). 

[NOTE: The SDL is a mandatory software creation process used at Microsoft to reduce the number of security-related design and coding defects, and to reduce the severity of any defects inherited from legacy code].

Howard, who co-wrote a book that explains the intricacies of the SDL, has dropped some broad hints at some of the changes that will be made to the SDL to ward off .ani-type flaws, including a possible addition to the list of banned API function calls, more aggressive checks for buffer overruns and enhancements to existing fuzz testing tools.

The changes are in keeping with the ever-evolving nature of the SDL, which is constantly updated to respond to new vulnerability discoveries and malware attacks.

During the creation of Windows Vista, more than 140,000 unsafe API calls were banned and Howard hinted that one more — "memcpy" — might be added to the list for new code coming out of Redmond.

He also offered detailed technical explanations for the defense-in-depth measures that did not stop the .ani threat, including /GS, a component that detects some buffer overruns. Howard said Microsoft will "rethink the heuristics" used by the /GS compiler to flag certain issues. "Changing the compiler is a long-term task. In the short-term, we have a new compiler pragma that forces the compiler to be much more aggressive, and we will start using this pragma on new code," he added.

Two other Windows Vista security mechanisms — ASLR and SafeSEH — were also in place to catch code failures but, in the case of the .ani bug, Howard said the attackers were able to wrap vulnerable code in an exception handler to find ways around those mitigations.

We're investigating this issue further to determine ways of finding exception handlers that may wrap potentially vulnerable code.

A big part of the SDL is the use of static analysis and fuzz testing tools to local potential vulnerabilities but Howard said the tools did not flag this as a security bug because the "memcpy" call is hard to flag as vulnerable without generating a great many false positives.

This is a research problem that no one has solved, here or elsewhere. Another angle is to replace calls to memcpy with memcpy_s which forces the developer to think about the destination buffer size. We may ban memcpy for new code, but we still need to analyze this further. Stay tuned.

Howard made it clear that the animated cursor code was fuzz-tested extensively but, because none of the .ani fuzz templates had a second "anih" record, the .ani bug escaped discovery. (See Alexander Sotirov's technical explanation on the "anih" chunk and the buffer overflow).

Howard said this weakness has been addressed as part of the continuing enhancing of Microsoft's fuzzing tools "to make sure they add manipulations that duplicate arbitrary object elements better."

One Windows Vista defense-in-depth mitigation that did kick in to reduce the attack surface was UAC and Protected Mode Internet Explorer. These technologies put up a roadblock and limited the damage from the .ani attack but, as Mark Russinovich explained at CanSecWest last week, malware writers can exploits for Vista's standard user default.

""The SDL is not perfect, nor will it ever ever be perfect," Howard argued. "We still have work to do, and this bug shows that. We have a new -GS pragma that adds more stack cookies; we’ve updated our fuzz tools; we will pay closer attention to exception handlers that could mask vulnerabilities, and we will investigate the impact of banning "memcpy" for new code," he added. 

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 43 Talkback(s)
Thanks - good info to have
This is the kind of stuff that MS should be applauded for. (Even though they aren't
my favorite company and windows isn't my choice of OS.)... (Read the rest)
Posted by: woot! Posted on: 05/01/07 You are currently: a Guest | | Terms of Use
Vista's huge success  NonZealot | 04/27/07
Oh, I'm sure NO ONE will EVER figure out  Kid Icarus-21097050858087920245213802267493 | 04/27/07
are you serious?  massiv_design | 04/27/07
re: Non_zealot?  Arm A. Geddon | 04/27/07
Specifically what do you disagree with?  ye | 04/29/07
Not to worry YE , I have your back !  None_Zealot | 04/30/07
My first stalker!  NonZealot | 04/30/07
Hey , who are you ?  Intellihence | 04/30/07
Message has been deleted.  ye | 04/30/07
Message deleted? Why?  ye | 04/30/07
Message has been deleted.  Intellihence | 04/27/07
Vista hasn't HAD any success!  whisperycat | 04/30/07
Vista will be a success no matter what...  ye | 04/30/07
As long as they can redefine success....  jasonp@... | 04/30/07
Can't believe there are so many people...  ye | 04/30/07
Message has been deleted.  Intellihence | 04/30/07
The Inquirer?  RocketEater | 04/30/07
Yes they are unbiased .  Intellihence | 04/30/07
Oh BTW...  RocketEater | 04/30/07
They got there information from Microsoft .  Intellihence | 04/30/07
Security is like sex.  Resuna | 04/30/07
What about...  RocketEater | 04/30/07
Other than the fact that you are completely wrong...  NonZealot | 04/30/07
You fool Vista has only been out for a couple of months .  Intellihence | 04/30/07
The moron is refering to Microsoft/Novell deal .  Intellihence | 04/30/07
Time to put down the crack pipe Non-Zealot  Intellihence | 04/30/07
Please explain  Freebird54 | 04/30/07
That's the way to do it!  TripleII | 04/27/07
Microsoft Security  dragosani | 04/27/07
The sheer number of banned API's is amazing  woot! | 04/27/07
List of banned APIs  PB_z | 04/27/07
I can understand banning strcpy and sprintf  Zogg | 04/30/07
Thank you!  Freebird54 | 04/30/07
Thanks - good info to have  woot! | 05/01/07
Its why so much legacy code is broken.  No_Ax_to_Grind | 04/28/07
One more thing...  No_Ax_to_Grind | 04/28/07
no surprise  gdstark13 | 04/30/07
ban memcpy?  Resuna | 04/30/07
There is a number inside the numbers...  ruped24 | 04/30/07
OMG!!  RocketEater | 04/30/07
fair and balance  ruped24 | 04/30/07
Simple Solution  fde101 | 04/30/07
Simple Solution  johniow | 04/30/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline