How did THAT security vulnerability slip through?


Michael Howard (of the Secure Development Lifecycle team at Microsoft) has posted a detailed analysis of the recent MS07-017 security vulnerability, and the lessons learned from examining the code responsible for the vulnerability.  Great read.

A core tenet of the SDL is to take and incorporate lessons learned when we issue a security update, and there is a great deal to learn from the recent animated cursor bug, MS07-017, so I want to spend a few minutes to go over some of the things we have learned from this bug.

First of all, this code is pretty old; is in Windows 2000, and predates the SDL. The SDL has parts (i.e., design review, threat modeling, testing, and security push) that focus on the product as a whole, and parts (i.e., code review and use of tools) that are focused on code. In the Windows Vista process, we banned certain APIs, like strcpy and strncpy, and changed well over 140,000 calls to use safer calls. memcpy wasn’t on that list. We also built in a lot of defense-in-depth measures because we know that the SDL can’t catch everything. Let’s start by looking at some of the defense-in-depth measures we have in place that didn’t stop the threat:

Read the rest of the post here.

Comments (6)

  1. dfr says:

    US home solar power system capacity increase of 76% over last year, to 437 megawatts (MW) ,Solar Batteries
    http://www.poweroak.net the nation’s new generating capacity, more than half of which is a photovoltaic power generation. The report shows that a quarter of the US solar power capacity by 1.3 gigawatts (GW), the sixth consecutive
    quarterly increase of over 1 GW. The total annual installed capacity is expected to reach 7.9 GW, Solar Power Penerator
    http://www.poweroak.net , Solar Power Pack
    http://www.poweroak.net representing an increase of 27%.
    The report predicts that by 2016 solar power will meet the electricity needs of about 800 million households in the United States to offset 45 million metric tons of carbon emissions, equivalent to removing 10 million cars. energy storage system
    http://www.poweroak.net/energy-storage-system-c-1.html

  2. za says:

    Call ZUHI . We provide High quality Escorts service in Mumbai. Here you will get fantastic Escorts Girls, Service offering by our beautiful escorts models. 3/5/7 Star hotel and home 24 hrs service in all Mumbai.
    http://zuhi.biz
    http://zuhi.biz/about.html
    http://zuhi.biz/gallery.html
    http://zuhi.biz/contact.html

  3. we says:

    Call PIYA: Mumbai Escorts. If you wish to obtain escorts in Mumbai, Piya.biz is the place for you, your source for different type of College girls, Models, Airhostess, Housewife, Russian, Mumbai call girls and independent call girls in Mumbai.
    http://piya.biz

    http://piya.biz/about.html
    http://piya.biz/gallery.html
    http://piya.biz/contact.html

  4. sa says:

    Call SARA: we provide High quality Escorts service in Mumbai city. Here you will get fantastic Escorts Girls like College girls, Models, Airhostess, Housewife, Russian, Mumbai call girls and independent call girls in Mumbai for full service.
    http://daut.in
    http://daut.in/gallery.html
    http://daut.in/services.html
    http://daut.in/contact.html

  5. er says:

    Doxy.in offers you the finest escort’s in Mumbai. Call 24 hrs Ms Nimita to find quality Mumbai escorts service like Airhostess, Models, College girls, Housewife, working girls, Russian and more.
    http://doxy.in

    http://doxy.in/about.html
    http://doxy.in/gallery.html
    http://doxy.in/contact.html

  6. qe says:

    Call Prachi for 24/7 sexy Mumbai escorts direct to your room in 20 minutes or less. Pink Angels of Mumbai have girls who come from a range of backgrounds and include glamour, fashion and young students. They are all beautiful, elegant, sexy, warm, fresh,
    sweet, young and stunning. http://pinkangelsofmumbai.in

    http://pinkangelsofmumbai.in/about.html
    http://pinkangelsofmumbai.in/gallery.html
    http://pinkangelsofmumbai.in/contact.html