Paul Thurrott's SuperSite for Windows
Home > Type > News > Microsoft pulls a Barbie

Microsoft pulls a Barbie

Dec. 22, 2008 Paul Thurrott | Paul Thurrott's Supersite for Windows

Microsoft explains how it missed a serious IE bug for NINE years or, as the company chooses to title this blog post, MS08-078 and the SDL:

Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception.

The bug was an invalid pointer dereference in MSHTML.DLL when the code handles data binding. It's important to point out that there is no heap corruption and there is no heap-based buffer overrun!

Memory-related TOCTOU bugs are hard to find through code review; we teach TOCTOU issues, and we teach memory corruption issues, and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues. We will update our training to address this.

Our static analysis tools don't find this because the tools would need to understand the re-entrant nature of the code.

In theory, fuzz testing could find this bug, but today there is no fuzz test case for this code.

Even though Windows Vista and Windows Server 2008 have both ASLR and NX enabled by default, Internet Explorer 7 does not opt-in to these defenses owing to compatibility issues with many common applications. Internet Explorer 8 enables these defenses by default.

On Windows Vista and Windows Server 2008, this is a major defense that comes into play against the currently circulating exploits. When the exploit code runs, it's running at low integrity because IE runs at low integrity, and this means the exploit code cannot write to higher integrity portions of the operating system, which is just about everywhere!

For our server platforms, Windows Server 2003 and Windows Server 2008, Internet Explorer Enhanced Security Configuration also prevents the exploit from working because the vulnerable code is disabled.

How was the bug found?

We really don't know how the bug was found, but some of the security people in Internet Explorer and the Trustworthy Computing Security teams suggest that the bug was either "stumbled upon" or found through directed fuzzing. The finder could spend as long as he or she wanted to find this one bug. This is one of the things that makes security hard - security is a highly asymmetric problem: software developers must get the code right 100% of the time in a very short amount of time, while attackers can spend as long as they want to find one bug.  This isn't an excuse; it's a fact of life.

As you can see from this post, many defenses in Windows did not come into play, but all it takes is one defense to help stop or reduce the chance that an exploit will succeed, and in the case of Windows Vista and Windows Server 2008, Internet Explorer's Protected Mode was that defense.

So I’m going to call this the Barbie defense (as in, “math is hard!”). Maybe it will catch on. :)

Discuss this Article 22

Waethorn
on Dec 22, 2008
....yet another reason to upgrade to Vista.
Waethorn
on Dec 22, 2008
I'd say the "Barbie defense" works for them in this case. Security IS hard, but: "Protected Mode just works - even against stuff we don't know about". So Paul, what were you saying about people not being able to pay you to go back to XP? ;)
Waethorn
on Dec 22, 2008
I'd say the real "Barbie defense" would be users saying "security is annoying", so they turn it off.
Ocean
on Dec 22, 2008
Transparency, admission of mistakes, being proactive: This is a new MS. This is good stuff. Thank goodness Gates is gone.
Ocean
on Dec 22, 2008
This is just funny. Enjoy: >>IBM tried, and spent a huge amount of money developing OS/2 but could never keep up with Windows. Apple tried to create their own system for years, but finally gave up recently and moved to Intel and Microsoft. It's just not possible that a freeware like the Linux could be extended to the point where it runs the entire computer from start to finish, without using some of the more critical parts of windows. Not possible.<< http://paranoidmike.blogspot.com/2008/02/as-david-hsing-says-best-troll-...
mikegalos@msn.com
on Dec 22, 2008
Clicking a UAC "OK" button is hard! :-) Actually, despite Paul's "Barbie defense" implication, this kind of problem is insanely hard to find manually and pretty tricky to find even with state of the art tools. It sounds like the latest version of the internal security test tools will now cover it. Of course, the downside is that it'll take longer to run those tests and to weed out the false positives. And, of course, as Waethorn points out, the inherent security features of Windows Vista, 7 and Server 2008 are amazingly effective at protecting against even unexpected security risks.
mikegalos@msn.com
on Dec 22, 2008
Ocean Actually, all the proactive openness came about while Bill Gates was still running the company as did the big security pushes. Sorry to burst your demonizing.
mikegalos@msn.com
on Dec 22, 2008
btw: If you are at all interested in security (or are going to make technical comments on this posting) you should really read Michael Howard's article that Paul references. The excerpt really doesn't do the article justice. And, of course, Michael Howard is about the best person on the planet to read on anything relating to computer security. He literally wrote THE book on the subject.
PatriotB6007
on Dec 22, 2008
Paul, I wouldn't stress the "NINE years" -- It's not like they've been acitvely reviewing the databinding code each and every year trying to find holes in it. My guess is that the databinding code hasn't even been looked at in since it was first written for IE4 -- except for the 2002 security review and of course now.
Lindy
on Dec 22, 2008
"....yet another reason to upgrade to Vista." Or you could go less drastic, cheaper and much quicker to implement.......Fire Fox 3. Honestly with IE's histrory of holes, and its lack luster performance, who (that knows there are other alternatives) uses it??? I use IE, on a rare occasion, to verify/test my OWA is working in premium mode, after applying those oh so wonderful Exchange 2007 SP1 rollup up patches, and then I close it.
Ocean
on Dec 22, 2008
Mike, Perhaps. But at that time it was in name only. The company had moved on, even if just now we're starting to reap the benefits.
ehcap
on Dec 22, 2008
Lindy, you are missing the point; the new security enhancements in Windows Vista, 7 and 2008 protects the user from unknown exploits, that's the real advantage. Is not about this bug or even Internet Explorer, is about 3rd party software as well such as Firefox, Opera or any other application, the new security enhancements will provide an extra layer of security that XP just doesn't have.
Waethorn
on Dec 23, 2008
"Or you could go less drastic, cheaper and much quicker to implement.......Fire Fox 3." Welcome to Bizarro World: http://blogs.zdnet.com/security/?p=2304 http://blogs.zdnet.com/security/?p=2322 Firefox still doesn't have a "Protected Mode". IE does. Firefox does what instead? Relieving itself [sic] of your memory?!
Lindy
on Dec 23, 2008
"Firefox does what instead" Does not have a 9 year old whole. Runs way faster, especially 3.1 and has Adblock Plus.
Lindy
on Dec 23, 2008
@ehcap I am fully aware of what you get with Vista. Security is by far its biggest advantage (if not the only) over XP, with the sand box mode for IE. I have recommended Vista or OS X to a few people I know that have teenage children that they cant/wont control what they do on a PC. I got tired of rebuilding XP for them.
shark47
on Dec 23, 2008
"Does not have a 9 year old whole [sic]" ... that you know of. In any case, I wouldn't be surprised if IE7 has had fewer holes than FF2 and FF3, especially on Vista. If speed is all you care about, there's Chrome anyway. It's probably the ad blocker that caused Google to release its own browser, so I wouldn't be surprised if Google found a way to show more ads on a web page than other browsers.
Waethorn
on Dec 23, 2008
Serious questions: At what state is/was Android considered "1.0" release status? Wasn't Chrome only *just* RTM'ed? Doesn't that mean that the apps on shipping HTC Dreams is in beta? More importantly, who the f* would pay for a phone with officially beta-status software on it? (snide comments about any other phone aside)
Waethorn
on Dec 23, 2008
"If speed is all you care about, there's Chrome anyway." If speed is all you care about, there's XP anyway. If speed is all you care about, there's 98 anyway. If speed is all you care about, there's 95 anyway. If speed is all you care about, there's 3.1 anyway. If speed is all you care about, there's DOS anyway. If speed is all you care about, there's the human brain anyway. Maybe you should use yours Lindy. (Good point Sharky!)
gorath
on Dec 23, 2008
I remember a quote from FastTracker II many moons ago (which was a DOS stalwart). "Windows, bringing the power of yesterday's computing.... Today!"
shark47
on Dec 23, 2008
"Windows, bringing the power of yesterday's computing.... Today!" Thank God. I will be ready for today tomorrow. Today, I am barely ready for yesterday. Yesterday was a different story altogether. That said, wasn't there a study that said Windows had fewer vulnerabilities than competing products and was quicker to patch them?
mikegalos@msn.com
on Dec 23, 2008
"[W]asn't there a study that said Windows had fewer vulnerabilities than competing products and was quicker to patch them?" Actually, quite a few of them. You can generally find them under Days-of-risk assessments if you do a search. Microsoft's security group gives themselves a report card every so often (I think it's 2x per year) based on that sort of thing. For example, in 1H2008, total vulnerabilities by OS were: Microsoft - 58 Ubuntu -153 Apple - 222 Red Hat - 292 Weighting those using the NIST severity criteria it's: Microsoft - 53.2 Ubuntu - 75.8 Apple - 96.5 Red Hat - 121.5 For Days-of-risk, for all vulnerabilities (This is how long it took between a flaw being discovered and the patch going out) Microsoft - 24.22 days Ubuntu - 72 days Apple - 97.95 days Red Hat - 105 days If we just look at High Risk flaws, the Days-of-risk is: Microsoft - 25.5 days Red Hat - 37.5 days Ubuntu - 42.02 days Apple - 70.6 days Looking at it another way is percentage of vulnerabilities fixed within 1 day Microsoft - 89.7% Red Hat - 38% Ubuntu - 23.5% Apple - 17% You can, of course, find lots of other studies from other sources. They'll tend to say the same basic things. Microsoft Windows has fewer vulnerabilities and is faster at fixing them than their competitors.
Ocean
on Dec 23, 2008
More: >>In a security bulletin released yesterday, Microsoft is saying a somewhat simply exploitable vulnerability exists in all presently used versions of SQL Server dating back to SS 2000 Service Pack 4. It has to do with a Transactional-SQL (T-SQL) statement which apparently uses a parameter that isn't checked for type. BetaNews has seen the code for a publicly available exploit based on information uncovered by security engineer Bernhard Mueller, who contributed information to two of the incidents covered by Microsoft's last Patch Tuesday round. Mueller is the good guy in this story; unfortunately, malicious users with no ingenuity of their own rely on news from Mueller and others for their inspiration. Based on what we've seen, we can say it's a fairly simple process to run a T-SQL script, or run commands from the command line, that use the sp_replwritetovarbin command to trigger a heap buffer overflow.<< http://www.betanews.com/article/Microsoft_acknowledges_a_longstanding_SQ...

Please or Register to post comments.

Related Articles

IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• 120 Technical
Sessions
• Networking with Peers
• Expert Speakers


Come See Paul Thurrott & Mary Jo Foley in Person!

Register Now

Office 365 InfoCenter

Get the latest insight and info from Paul

Read Now!

What I Use
Apr. 18, 2013
Article

What I Use: On the Road 21

Every so often, I publish an updated version of my “What I Use” document, which details the technology products and services I actually use day-to-day. Since I’m currently on my third business trip in five weeks, this is perhaps an ideal time to discuss the technology products I rely on when I travel and a few related points....More
Mar. 6, 2013
Article

What I Use: March 2013 33

Lots of changes since November, including a new PC-based home server running Windows 8, several new smart phones, new PCs and tablets, new cloud backup, Office 365 Home Premium and a nice doubling of my Internet speeds courtesy of Verizon FIOS....More
WinSuperSite.com
Related Penton Sites
Copyright © 2013 Penton Media, Inc