Single misplaced '&' caused latest IE exploit

A security hole in Internet Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft's code.

An errant ampersand ("&") took the blame for the exploit, admitted Microsoft in a blog published Tuesday at its Security Development Lifecycle (SDL) Web site.

Michael Howard, a security program manager at Microsoft, explained in his blog that the typo corrupted the code of an ActiveX control used by the browser. The control was created by Microsoft using an older library of code, which Howard admitted has flaws. Because of those flaws, the typo caused the code to write untrusted data, exposing the browser to the bad guys.

Outside of its regular Patch Tuesday routine, Microsoft issued an emergency fix for IE, which it said would block attempts to exploit the flaw in ActiveX controls.

Development tools like Microsoft's own Visual Studio use the same library of code, known as Active Template Library (ATL). On the same day it released the emergency patch for IE, the company also released a Visual Studio fix.

Howard said the typo would have been difficult to spot in a review of the code, and that none of Microsoft's code analysis methods would have uncovered it either.

In his blog, Howard played a high-tech version of "Where's Waldo?" by challenging readers to find the typo amid a few short lines of code, even hinting that it was a single character.

The code lines he listed were:
__int64 cbSize;
hr = pStream->Read((void*) &cbSize, sizeof(cbSize), NULL);
BYTE *pbArray;
HRESULT hr = SafeArrayAccessData(psa, reinterpret_cast(&pbArray));
hr = pStream->Read((void*)&pbArray, (ULONG)cbSize, NULL);

And his riddle for readers:
"I'll give you one more clue - it's a one character typo. Give up? Look at the last line. The first argument is incorrect. It should be: hr = pStream->Read((void*)pbArray, (ULONG)cbSize, NULL);"

The hole was originally uncovered earlier this month by a pair of German researchers. Thomas Dullien (also known as Halvar Flake), CEO of Zynamics GmbH, and his friend Dennis Elser detailed their discovery in a blog. After the exploit became known, the two did some digging into the code and found the unwanted "&" character.

So what will Microsoft do to guard against future typos?

In his blog, Howard acknowledged the need to clean up the company's coding process. He said that Microsoft will update the tools it uses to find these types of errors. The company will also require its programmers to use the newer ATL code. In the past, Microsoft never told its programmers what to use. But says Howard in his blog, "We're going to change that!"

[Harlan879]

Gah, C++ sucks. Any decent language with any decent compiler would have realized that it's a bad idea to try to cast a double pointer to a single pointer, and at least thrown a scary warning. "WARNING: Casting BYTE ** to void *. You're probably going to regret that."

[JoeF2]

Actually, most such programs are written in C++ or even C. Nobody want to take the performance hit of such checks at runtime.
The compiler should have shown a warning, though. Static code analysis would have found that. Heck, Visual Studio has a static code analyzer (not the best one, but it works). Seem they don't switch that on.

[knowles2]

Bet they will now through.
Wonder how many other typos will be discovered.

[c|net Reader]

I hate to break it to you, but the fault lies with the API being called. If Read() didn't take a void *, the compiler would have complained if the programmer passed &pbArray. If the programmer had, properly, used a static_cast rather than a C-style cast (permitted, unfortunately, by C++ for compatibility), the compiler would still have complained. Thus, the fault lies with the void * parameter and the use of a C-style cast. A proper C++ interface, for a function like Read(), would use a char * parameter and a good C++ programmer would have used static_cast. Thus, the compiler would have caught the mistake.

C++ doesn't hold your hand. You have to know what's safe and what isn't. If you do what isn't safe, then you can't blame the language/compiler for not helping you. For those that want hand holding at every turn, choose another language.

[alenas]

This just shows how dangerous C/C++ is...
Time to move to modern languages guys...

[pentest]

Too bad C and C++ is usable in many areas that Java, C#, Python, etc, can not touch.

[c|net Reader]

C++ can be used very safely without losing efficiency, but it does require wisdom. C++ can be abused and will give a programmer plenty of rope with which to make a noose. Other languages can do many things very well, but C++ is still one of the best at expressivity, flexibility, and efficiency. If you don't care about efficiency, or it isn't the most important attribute for your code, you may well choose another language. Many of us cannot afford to do so.

[pentest]

C and C++ are two completely different languages. There is no such thing a C/C++.

C++ is a bloated mess, worse than Ada.C is an excellent lower level language, but you do need to know what you are doing, most "programmers" do not.

[BogusBasin]

Has anyone seen my &? I've misplaced my &. Here &! Here boy!

Amen

[Random_Walk]

...I thought .NET was supposed to be above that sort of thing?

[catchall]

.Net is.
Most modern languages will greatly mitigate problems like this.

No one, however, writes an OS in a high level language. There are lots of reasons.

[dhavleak]

Yep.. this isn't managed code.. the CLR doesn't come into the picture here..

[Random_Walk]

Err, IE isn't an OS, Redmond's protests to the contrary. ;)

It would be curious to see what language they did write it in, though.

[dhavleak]

dude! It's C++

Scroll up to the absolute bang middle of the article and see the three lines of C++ staring you sqare in the face. I've long suspected (from reading your posts) that you aren't very tech savvy, but now I know..

[willdryden]

The code in the article makes activex a C++ interpreter. It does not indicate what language they used to write IE.

[c|net Reader]

IE is written in C++. Once in a great while, you'll see certain error messages that are telltale signs of it (like calling an unimplemented pure virtual function).

[The_happy_switcher]

SS Microtanic sunk by an ice cube in the ocean. Hilarious.

[Vegaman_Dan]

Thank you for your comments. I'm sure they will be be treated with all the respect and credibility that you have earned here in your time on CNET.

[The_happy_switcher]

You're welcome. Btw, what do you think became of Applerocks1963?

[uptheironsrafi]

He switched back to Microsoft?

[MeepMan]

No, he switched from Apple to Apple. Which is almost as funny as his comment.

One major problem though: Microsoft meets h@te in America, where as Navy and Coast Guard do not. If anything, what is funny is the SS Trashintosh went on a Safari and ended up swimming with the fishes on the bottom of the sea... along with the 20th Anniversary Macintosh!

PS: It's the SS Trashintosh because its a universally-respected POS. What it was doing on a Safari when Mozilla could have saved it is nobody's business, unless they rent scuba gear to fix it.

[SwissJay]

CNET, any truth to this? http://arstechnica.com/microsoft/news/2009/07/windows-7-ultimate-activation-cracked-with-oem-master-key.ars

[Vegaman_Dan]

It's true- the Ultimate key issued to Lenovo got leaked by someone at Lenovo. However, it only works with the Lenovo key and that's likely to be shut down shortly.

Unfortunately there is always social exploits.

[ti99_forever]

Gee - I glanced at the code snippet and saw the error first time!
Microsoft, where is *my* job?

[NoVista]

Where's your H-1B Visa?!

[inachu1]

I bet a lot of code they use is still copyrighted from year 1983

[Lerianis3]

Could be, to be blunt. Really, some things haven't changed enough for the code for them to be updated yet.

[FF2009]

another reason to not use this M$ piece of crap Browser.

[Lerianis3]

Nope, because Firefox could have THESE SAME THINGS HAPPEN! Get off the IE hate, the fact is that these things can crop up in any major browser, Microsoft or not.

[Vegaman_Dan]

I heard that FireFox has had zero flaws since it was released with version 1.0. All this news about Firefox security updates, patches, flaws found, or even that they have newer versions than 1.0 are completely untrue. Don't believe their website either. The product is PERFECT and has never needed to be updated.

Yeaaaaaaaaaah, I don't know that you should be throwing stones so close to your glass house.

[Inconnux]

yet only Microsoft ties its browser so closely to its OS. This is exactly why people with common sense should avoid IE like the plague. Atleast if it was a Firefox exploit it wouldn't be tied to the Core OS. #1 way to improve your systems security is to dump IE.

[unknown unknown]

@Vegaman_Dan Do you have link to documentation of this flaw. I've not been able to find anything about such a flaw. I am found fast zero day flaws, but nothing about an unpatched going back to 1.0.

[Dalkorian]

@unknown unknown, you need to learn how to read Dan's comments. This one is what we would call the classic deflection technique, where he points out the fact that no software is *PERFECT* to deflect you from recognizing exactly how bad IE really is.

I mean really now, look at that code again. It looks like something you'd see on an exam in a first year C++ course - spot the problem here. Anyone who doesn't get it shouldn't be writing any type of networking software, let alone a web browser, and that includes most API monkeys at Redmond.

[alegr]

The programmers who wrote that and other ATL crap don't quite know C or don't care about safe programming... You never need to cast any pointer to void*. Those gratuitous casts are source of bugs. Though not in this case. There was also no need to declare pbArray as BYTE*. Doing that instead of using void* led to another unnecessary reinterpret_cast.

The actual code also has a memory leak in case pStream->Read failed. This can be used for DOS.

[JoeF2]

The funny thing is that the static analyzer in Visual Studio would find such things.
All they have to do is actually switching it on...

[Dalkorian]

Care about safe programming? I doubt most people at M$ could *DEFINE* safe programming!

[Henry Michael Karshis]

& that's the way it is...

[sebastien.kalonji]

It's a good thing the EU forces MS to ad also safe browsers to Windows 7. Although its a shame they didn't force them to ad a safe OS to the package.

[Lerianis3]

Oh, get off it idiot. You are expecting an impossibility, a totally problem-free browser.

[Vegaman_Dan]

It's a shame that the EU didn't decide to outlaw any and all Microsoft products, create a military force to storm into people's homes and rip out their systems physically, throw all Windows users in jail, and force the entire continent to *only* use Apple Computers. THAT is the only solution.

Oh wait, or was that Linux? Okay, we'll send the EU hit squads out again to take out all the Macs and replace them with Linux systems.

Or... you could get al ife. Of all those options, I think this one is the most productive.

[directorblue]

The funniest thing about this article... none of the hResults are even checked.

Or are some magical exceptions going to be caught somewhere upstream?

Reason #4,260 that Microsoft's software engineering ain't exactly MILSPEC.

[dhavleak]

That's not necessarily the complete code snippet. It's just whatever Michael Howard needed to get his point across. Chances are, each of those lines of code is actually inside a macro that checks the hr. No need to post the exact code in the blog because it's noise for the purpose of the blog..

[Vegaman_Dan]

"Reason #4,260 that Microsoft's software engineering ain't exactly MILSPEC.

Thank goodness for that! Go take a look at what MILSPEC means when implemented and you'll have all sorts of fun there.

[redjuggler]

Microsoft is always adding on to their original systems, while other OS (ahem) are constantly building new and exciting features. man, I could use a big MAC.

[Lerianis3]

Again, get off it. The fact is that Vista and 7 were pretty much totally rewritten when it comes down to it. Sure, some code was 'reused' from earlier operating system because there was nothing wrong with it, but that is true in OSX and Linux as well.

[rapier1]

Ummm... do you really think every bit of code distributed by Apple was rewritten from the ground up?
Wow. Thats really special.

[Dalkorian]

Alright, it's a slow morning so I'm willing to play with the trolls somewhat. First off, "adding on to" and "building new and exciting features" sounds pretty much the same to me so that statement makes absolutely no sense whatsoever. Secondly, when you use all caps you are typically referring to an acronym, "MAC" typically stands for Media Access Controller (though there are many others as well, we have to go with the context it was used though). The abbreviation for Macintosh is typically just "Mac" (notice it's not all caps!). Normally I would just blow past this though, considering it a trolls comment, but then the M$ apologists show up to argue about it!

As I said, it's been a slow morning (not that unusual, considering the company has Mac clients connecting to an AIX server) so I thought I'd join in the fun.

Oh, one last thing (trying to throw napalm on the fire here) - fista, including sp3 (aka w7) comes with WGA built right in. Look it up, it's yet another "feature" that you won't find in a real OS. But that's OK, why would you want to have control of your own computer anyway? Tis better to blame others than to assume responsibility, right? The M$ killswitch is there for your protection, to protect you from your own stupidity and criminal intent. Resistance is useless! Submit to your master, slave!

[p7a]

Typo my ass. Typo implies your fingers hit the wrong keys. This programmer got confused and dereferenced a pointer. So what, it happens. But it definitely is not a typo.

Like some commenters mentioned, this should have been flagged by compile-time code analysis.

[T_Hoff]

He didn't dereference the pointer, he took the address of the pointer. It's the exact opposite of dereferencing.

[T_Hoff]

Time to get an enterprise license for Gimpel's PC-lint -- that will catch such errors.

[pentest]

This is a freshman computer science mistake. Very typical of the amateur hour work at Microsoft.

[Patrick5651]

It seems that I've read somewhere that someone is attaching sound to code. Would it be doable to 'hear' something in the code that would be useful as an identifier for difficult situations as described?