Microsoft to hunt for new species of Windows bug

Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products.

The critical flaw, in the way Windows Meta File images are handled, is different than any security vulnerability the software maker has dealt with in the past, Kevin Kean and Debby Fry Wilson, directors in Microsoft's Security Response Center, said in an interview with CNET News.com. Typical flaws are unforeseen gaps in programs that hackers can take advantage of and run code. By contrast, the WMF problem lies in a software feature being used in an unintended way.

In response to the new threat, the software company is pledging to take a look at its programs, old and new, to avoid similar side effects.

News.context

What's new:
Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its Security Development Life Cycle process to prevent similar problems.

Bottom line:
The new species of flaw creates a new twist in Microsoft's battle with hackers, as it works to improve its security practices.

More stories on this topic

"Now that we are aware that this attack vector is a possibility, customers can be certain that we will be scrubbing the code to look for any other points of vulnerability based on this kind of attack," Fry Wilson said.

Microsoft has been working for years to improve its security posture, beginning with its Trustworthy Computing Initiative, launched in early 2002. The WMF problem is not a good advertisement for Microsoft's security efforts, one analyst said, as the legacy issue seemingly went undetected.

"This should have been caught and eliminated years ago," Gartner analyst Neil MacDonald said. "They overlooked image format files, and that is where this WMF issue came in."

Microsoft now faces a race with cybercriminals, who are likely on the prowl for the same bugs as well, experts said. The software maker is in a constant battle with miscreants who seek to attack computer users.

When WMF files were designed in the late 1980s, a feature was included that allowed the image files to contain computer code that could be executed on a PC, said Mikko Hypponen, chief research officer at Finnish security company F-Secure.

"This was not a bug; this was something that was needed at the time," Hypponen said. "It is just bad design, design from another era." The graphics file format was introduced with Windows 3.0 in early 1990. Executable code in the image file could help abort the processing of large images on the slow systems of yesteryear, security experts said.

"This should have been caught and eliminated years ago."

--Neil MacDonald, analyst, Gartner

Ilfak Guilfanov, a European software developer who made headlines by beating Microsoft to the punch with a fix for the Windows flaw, agreed. "WMF was designed a long time ago, when information security was not considered an essential part of software design," he said.

Trojan horses, instant messaging worms and thousands of Web sites were found to attack users with specially crafted WMF files. A vulnerable Windows computer might have been compromised simply if the user visited a Web site that contained a malicious image file, or opened such a file in an e-mail message or an Office document.

Many of the attacks installed spyware or other unwanted programs on the PCs of unwitting Windows users. At least a million computers were compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. The WMF issue is also expected to be a conduit for many future threats, experts have said.

Response speed
Microsoft's fix for the flaw was the quickest turnaround ever for a Microsoft patch, released only 10 days after the vulnerability was made public, Fry Wilson said.

While Microsoft was able to repair the problem in record time, the company was surprised by the type of vulnerability.

"It is not a common buffer overflow," Kean said. "The software has a behavior that people can take advantage of. Obviously we did not intend it to be used in that way."

Microsoft has learned from the WMF flaw and will put the lessons into practice, Fry Wilson said. The software maker will update its Security Development Life Cycle, a set of practices that Microsoft's developers follow to prevent security vulnerabilities in products. The process includes the software maker's threat-modeling system, which checks code for potential security problems.

[David Mittman]

CNET: Apple's Safari vs. Microsoft Bugs?

Anyone else notice the similarity between the application icon
for Apple's Safari web browser and the compass artwork for
CNET's article on the Hunt for New Species of Windows Bug?

[mcthingy2]

Cut 'n Paste Art Director

Good catch David!

[JorisEvers]

Oops - Microsoft on bug Safari

Thanks for catching that. The image is being changed as I type this.

Joris
CNET News.com

[Thrudheim]

How bizarre

to put Safari's icon in a story about bugs in Windows!

It is a direct ripoff of the safari icon

All they did was remove the little nub by the N indicator. CNET has stolen the Safari icon and have modified it for their own use.

[SqlserverCode]

Expect delays

Expect delays on Vista because of this
Next thing you know is they will stop all development and go through all the source code
This happened before....

<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>

[Bill Dautrive]

It is a shame

That MS didn't comb through the code BEFORE they unleashed it on the public. That would make too much sense.

[Betty Roper]

Agreed

Why this didn't happen years ago is unbelievable. You would think fear of liability alone would make them take action.

Less work on Windows Live, more on cleaning up Windows.

[Adilallawi]

Microsoft should open its source code

We have heard all this before. In 2003 MS boasted that it had spent $200 million retraining developers to write secure code. Why should users have any confidence in their statements this time? The real problem is that this year the stakes are higher. Whereas in the past viruses were written by amature hackers for fun the new threats will be combined with Spyware and Phishing to extort serious money from compromised users. Just search Google for "Spyaxe" for an idea of the future. If Microsoft cannot be trusted to secure their operating system then they should open the source to the public so that the user community can. Apple do this already with Webkit and Darwin without compromising their intellectual property. Microsoft should do the same.

[Hernys]

They already do.

Microsoft shares the source for most of Windows and some other products with thousands of researchers, with universities and goernment entities.
They find some of the bugs, but most of them are found internally by MS.
Sharing source code, while an appealing concept, doesn't give the results some might expect. The number of vulnerabilities found in OSS projects is roughly on par with what Microsoft's products have for similar functionality (and both are below what most other companies have, including Apple, Adobe, IBM, Oracle and others).
Plus making the source available would give more malicious hackers the opportunity to find flaws before the right ones do. At least with closed source most vulnerabilities are being found internally. While the well intentioned public might found some interesting vulnerabilities, malware writers have a bigger incentive to invest time in look for vulnerabilities, and the source code gives more of them the ability to do so (it requires a certain level of skills to find vulnerabilities without access to source code).
And before someone claims that the number of active exploits, malware, viruses and spyware for Windows is way higher than for Linux or other OSS projects, that's what can be expected all other things being equal when a product has over ten times the market share, is used by unsophisticated users, and is the common denominator the commercial malware writers should be looking at.

Thanks Ilfak Guilfanov!

I want to publicly thank Ilfak Guilfanov for releasing the MS Windows Metafile file vulnerability fix (see <a class="jive-link-external" href="http://www.hexblog.com/2005/12/wmf_vuln.html" target="_newWindow">http://www.hexblog.com/2005/12/wmf_vuln.html</a>). Unfortunately Microsoft won't be releasing a fix
for Windows NT 4.0 (or Windows 9X) as they no longer support these operating systems. So for now (or until Microsoft freezes over) I'll be using Ilfak Guilfanov's hoxfix on my Windows NT 4.0 system.

[TMB333]

Pay the Public for Flaws

What if Microsoft paid their consumers for flaws that are discovered? I'm not talking about paying everyone for every flaw found, I'm talking about paying the person who discovered it!

Set some reasonable monetary value. Say $100 for any exploitable flaw found. Provide a means (i.e. secured webpage) for someone to report the bug and time stamp it. Define the terms by which the bug must be described, i.e. what must be done to reproduce the problem, or what steps must be taken. And if it pans out, Microsoft should pay the $100 to the first person that found the problem. Later on, after a fix is developed, display that person's name and a brief description of the vulnerability to provide more incentive for that person to want to find more bugs.

I would suspect that this would weed out some of the more serious issues quite quickly and as time goes on there will be less and less bugs to be found. Of course Microsoft would need to have a department who's sole purpose is to decipher through the possibly thousands of submissions they will receive, and then another team to fix the bugs as they're discovered.

Theoretically, this should work better than having to create a department of software engineers to weed through all of their code on their own, primarily because of the sheer number of people who will be trying to 'break' Microsoft's code for some dough. This is a twist on the concept of Open Source Code, without actually 'Opening the Source' because you're basically setting an incentive for greater numbers of people to want to discover and report the bugs.

You can't polish a turd.

MS is like GM, mismanaged and making crap products and then saying they are great. All talk, nothing changes. Only fools accept their BS. MS software is the biggest consumer fraud ever. Linux or Macs never had and never will have this problem. "You can't polish a turd". Thousands of paid MS software types can't make a better product than volunteer Linux developers. Go Linus Torvalds. What Gates is doing is a crime.

[Jake Leone]

Message has been deleted.

[Jake Leone]

Message has been deleted.

[vaujanolo]

Microsoft Has Found A Bug?

What? Not Microsoft?

I thought everyone knew Microsoft had a bug. Its called
Windows.

How Microsoft has taken over the computer operating system
with such insecure, bloated, over priced software, is beyond me.
I saw someone congratulating Microsoft for speeding a patch to
market in 9 days!

Apple, who do occasionally find security issues, usually issue
patches within a week or so.

How come there are thousands of viruses etc on Windoze and
barely a single one on Apple OS?

Well those people who just have to have Windoze may soon have
an answer. The Mac going Intel should mean that if you buy a
Mac, you will be able to install a dual boot. Windoze to use your
Windoze only programmes and Mac OS when you want to ghet
the job done (or when your Windoze installation gets yet another
gremlin).

[ananthap]

Microsoft standard practice

It's really a pity that microsoft with all their resources cannot maintain continuity of knowledge and review old products (not in current development)for newly discovered types of vulnerabilities.

Makes one wonder what is the "scrubbing" that will be achiieved.

[aqvanavt]

New Windows OS

I've often wondered why MS has taken the "build onto" way of Windows developement, rather than taking everything they must have learned in 20 years of patching the same relative platform to create a truely new OS from the ground up. It can't be economics. I used software from AnalogX to find unused dlls on my machine running WinXP and came up with a list of 411 dlls that were not being used by anything, not linked to anything and were replaced by other newer windows dlls. When I went to archieved them Windows crash warnings went off everywhere like 4th of july and my machine would only boot in safe mode and would only do that to tell me I'm missing necessary dlls?????
How much new can my machine hold?

[kitcar]

how much can the machine hold?

My current study says that you can hold 4,543,002,641 .dlls that aren't being used. Now if they are being used by a prefetch, you can only have 3,263,471,032 .dlls. If you clean your system you sould be able to get that down to 3,263,471,030. As MS tells me, "reinstall windows" which should only take 4 days to reinstall your programs. Now, if you have more than 10 programs that you use this process should take no more than 20 days but only if you are "registered" using .NET. Of course with .NET installed your system will run at 50%. So you'll not want to install .NET when you reinstall Windows which means that you won't be able to use .NET to find the help you need to reinstall Windows. If you have .NET and want to reinstall Windows using a recovery CD, you'll need to run the CD to recognize the CD but only if you have .NET which has to be installed after reinstalling Windows which means that your Windows is already registered but you can't use it because it's not validated. That should only cost $154.00 (US) but only if you have the recovery CD which you can only get if you have a validated version of Windows which won't validate because you haven't purchased the $154.00 (US) validation. Once that is done, the process starts over if you call Microsoft and pay for tech support.

[likes2comment]

Solve all MS problems - Get Vista!

Come one, come all, Get you new Windows OS now. Upgrade now. Make our bank and stockholders happy. Be sure to upgrade to more Windows products though, do not consider Linux (Suse, Red Hat, etc) for your next OS. This message will repeat in three years for the next Windows upgrade cycle.

[Jake Leone]

Microsoft is helping the Chinese Government eliminate the free press.

Microsoft deleted a blog that was on U.S. Soil. Because the Chinese government was scared of the information presented in this blog.

This blog

- Did not violate any known law in China
- Did NOT CONTAIN any illicit material
- Contained information important to the Chinese people.
- Was a newsworthy log
- Was stored on U.S. servers

Think about it, Microsoft deleted news worthy, wholesome content from U.S. soil. They are violating the U.S. constitutional guarantee of freedom of speech.

Further they are even violating Microsoft's own code of conduct regarding these accounts. AS NO LAWS WERE BROKEN IN CHINA OR THE UNITED STATED.

This logger did not break any laws. His blog was full of useful, wholesome, important information that was for the benefit of the Chinese people.

Mr. Bono, if really a friend of Bill Gates, should explain (and understand) that people need the ability to express themselves. Something which Mr. Bono and Mr. Gates enjoy.

But something that Microsoft (the company) doesn't care about.

Microsft seems to have done a Repressive Act on U.S. soil, and their sole motivation was the profit.

[Macsaresafer]

And you're surprised because?

When has Microsoft ever done anything for the good of its users?
Even when Bill Gates gets involved in philanthropy, there are almost
always strings attached. Usually, he donates Windows computers
but gets credit for giving money. So now his company steps on
American rights for profit, and we're supposed to be shocked?

[kitcar]

if they want to find bugs.....

Maybe they should find the bugs in their programs like moviemaker 2.0 that makes it crash every 2 minutes even when you have over go gig of ram. Of course it's easy to prevent worms and such from attacking when you have to reset your system every two minutes. Pure genius. Maybe a dance would solve the problem.

<a class="jive-link-external" href="http://www.windowscrash.com/albums/movies/dancemonkeyboy.mpeg" target="_newWindow">http://www.windowscrash.com/albums/movies/dancemonkeyboy.mpeg</a>

[wti]

"defect" revelation is win16 lurking in Ring0 on win32/win64

The revelatory "new" defect isn't "code-in-data" or even specifically graphics image file formats.

Yes, of course, those are real problems.

The revelation is that win16 code, lurking in strategic, Ring0, WinOS-innards, like GDI32.DLL, are capable of severely compromising win32 and win64 OS-es.

Two things need to be done about this:

1) No win16 code should be running in Ring0 on a 32-bit or 64-bit WinOS.

MS moved GDI32.DLL into Ring0 as part of some Sevice Pack to Win2k. This was done, at the behest of "gamers," to speed up graphics operations in the all-in-one W2k OS. GDI32.DLL continues to run in Ring0 on all WinOSes since then.

People who knew better at the time, balked when MS did this; but MS proclaimed that there would be *no* security or stability implications of moving GDI32 to Ring0, because the code in GDI32 had "proven itself" in the real world.

To that, we must now say, pshaw...

What other WMF-flaws will turn up in GDI32.DLL that are software defects that originated in the pre-NT-era, and were then carried forward into NT3.5/NT4, where GDI32.DLL did *not* run in Ring0, yet are now running in Ring0???...

That any "unauthorized memory access" defects residing in GDI32.DLL might be less severe (as in DoS-only) than the latest abuse of (win16) SetAbortProc is pure accident and not by design.

Not remediating these defects (SetAbortProc, ExtCreateRegion, ExtEscape, ad nauseum), as soon as they become known, is nothing less than MS using its customers to play a dangerous Game of Chicken, always waiting to see if the BadGuys can leverage UMA into Remote Code Execution, before Doing The Right Thing. Of course, MS has no liability whtsoever for any costs/losses incurred by its Defect-Daring Customer Chickens as a result of deliberately delayed patching.

2) With the advent of NT-Technology, MS touted that WindowsOnWindows would protect win32 from crippling effects of known-to-be-crap win16 code.
The myth of WoW protection is a promise that now needs to be honored and delivered by MS. Win16 needs to be sufficiently and effectively sandboxed, once and for all.

The expedient thing for MS to do would be to summarily kill off "backward compatibility" in future WinOSes; but without 1) above, it's doubtful that MS has a real idea where all of embedded win16 lurks in win32/win64.

After moving all win16 out of Ring0, all of win16 then needs to be rigorously sandboxed, on every WinOS that continues to harbor win16 code in it.

*This* is the "bug hunt"/remediation that MS needs to undertake, if it takes Security seriously and cares about the computing safety of its customers.

It's a Big Deal to Do only because MS has put off doing it off for far too long.

[Andrew J Glina]

Clarification

It was done in NT4, not a Win2K Service Pack. But don't worry, they agree with you and are putting back the way it was.

<a class="jive-link-external" href="http://www.techworld.com/news/index.cfm?RSS&#38;NewsID=5002" target="_newWindow">http://www.techworld.com/news/index.cfm?RSS&#38;NewsID=5002</a>

Don't forget thought that most OSes, including Linux, have some video code in the kernel. It all depends on how much you trust the code I suppose.

Incidently, I have heard that Win16 is finally (after 10 years of unneccesary backwards compatabilty) killed on Win64, but I have not tested this yet.

[gnewey]

Bug?

WMF isn't a windows bug. It's a backdoor that was coded in on purpose by Microsoft.