Microsoft Vulnerability Underscores Importance of Strong SDL
Sometimes it's the little things. According to Microsoft, one of the bugs in the Active Template Library was the result of a typo. "The extra '&' character in the vulnerable code causes the code to write potentially untrusted data, of size cbSize, to the address of the pointer to the array, pbArray, rather than write the data into the array, and the pointer is on the stack," wrote Michael Howard, a principal security program manager in Microsoft's security engineering and communications group, in a post on the company's Security Development Lifecycle (SDL) blog. "This is a stack-based buffer overrun vulnerability." The mistake is the core issue involving the MSVidCtl ActiveX control, which was created by Microsoft using a private, internal version of the Active Template Library (ATL). The company patched vulnerabilities in ATL yesterday as part of an out-of-band emergency fix. "I contend that this would be very difficult to spot in a code review, and is not picked up by the C/C++ compiler owing to the (void*) cast," Howard wrote. "If the cast is removed, the compiler issues a warning like this: C2664: ' "I despise C-style casting because it's utterly unsafe; C++ casting is safer, although the reinterpret_cast operator is almost as bad as C-style casting. "In the SDL we require that teams fuzz their controls, but our fuzzing tools didn't find this because the method in question requires a specially formed input stream that includes many sentinel bytes," he continued. "I explain the weaknesses of fuzzing here. We are in the process of adding more heuristics to our fuzzing engine so it can include these COM-specific bytes if needed." Howard goes on to discuss a second bug involving the use of ATL property maps to instantiate a COM object. He admits that their SDL has no requirements or recommendations for using ATL property maps, and that, at least in theory, fuzzing should have uncovered the problem. Without disputing the actual level of difficulty involved in catching the mistake, the situation clearly underscores the importance of code review. After all, it is the little things that make the difference between being vulnerable and being secure. |
Comments (1)
Mike Howard is right though, having seen the snippet of code that is posted on the SDL blog it isn't something a great number of code reviewers would ever catch. It is a very innocous addition, and when reviewing several hundred lines of code a single misplaced & is really hard to notice. The most methodical reviewers would likely have caught it, and I have certainly met a few of them in my time, but they are a rare breed.
I'm not convinced this does underline the importance of code review, especially as you can't really say whether or not one was performed on this code or not (Howard certainly doesn't mention one way or the other). I think what it really demonstrates is that some security vulnerabilities are just a single typo away, and can be really hard to catch, hence why 100% vulnerability free code won't ever be a reality. No process, regardless of how methodical, will catch everything.
Posted by Josh | July 29, 2009 5:56 PM