Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
Why Blaster did not infect Windows Server 2003

I've been meaning to write about this for some time, but while pondering over my very dead laptop (it won't even get to the “Choose an OS to boot' option”, I remembered.

The code which Blaster took advantage of was in the released version of Windows 2003 :( but the worm itself did not infect Windows Server 2003 machines, here's why: the /GS flag. The buffer-overrun was detected by the -GS handling code, which caused the OS to shut the RCPSS process down. Sure, not a good thing - but a heck of a lot better than being infected by the worm. You can read more about /GS in Brandon Bray's blog http://blogs.msdn.com/branbray/archive/2003/11/11/51012.aspx.

In case you're not aware, Windows XP SP2 is also compiled with the latest 'n' greatest version of /GS.

Another cool thing in Whidbey is /GS is implicit; if you compile code using this:

cl -c mycode.cpp

You get the -GS stack-overrun detection code by default :))

If you don't want this option (why don't you want it?), then you must compile with /GS-

Posted: Sunday, May 23, 2004 4:22 PM by michael_HOWARD
Filed under:

Comments

Ilya said:

Btw about OS compilation (not relevant to Blaster issue actually): why XP Home tries to load non-existent EFSADU.DLL in each process it starts? Why Home is not properly recompiled to dropp off unsupported features from XP Pro?
# May 23, 2004 8:30 PM

Andreas Häber said:

Hm.. in "You get the -GS stack-overrun detection code by default :(" did you mean to have ":)" at the end instead? ;) seems like a good thing IMO!
# May 24, 2004 1:17 AM

Andreas Häber said:

Hm.. in "You get the -GS stack-overrun detection code by default :(", did you mean to have ":)" at the end instead? ;)

IMO this seems like a good thing!
# May 24, 2004 1:22 AM

Andreas Häber said:

oh.. sorry for double posting :/
# May 24, 2004 1:24 AM

MIchael Howard said:

My bad - thanks!
# May 24, 2004 7:03 AM

Michael said:

Ilya - Home and Pro aren't separate compiles. They're built from the same source code, and each binary in Home is identical to the binary in Pro. There may be some exceptions, but I don't know of any off the top of my head.

This makes development and serviceability easier. Imagine if each patch had to have a separate pro and home version.
# May 24, 2004 8:38 AM

Ilya said:

Easier indeed. But from the other hand it is also implies potential issues (take a look at example above: what if there is such DLL and it is not authentic?) Does such implications simply considered as acceptable risk?
# May 25, 2004 2:24 AM

MIchael Howard said:

>>it is not authentic
Windows File Protection :)
# May 25, 2004 9:47 AM

Ilya said:

But how? :) The DLL is not ships "in the box" with operating system because there is no EFS support in Home. It is not a system file anymore, but from the other hand the Home's binaries (identical to Pro's) are up to it.
# May 25, 2004 7:43 PM

A Blog for Graymad said:

# May 26, 2004 1:56 PM
New Comments to this post are disabled
Page view tracker