Why Windows Vista is unaffected by the VML Bug

Published 10 January 07 07:43 PM

MS07-004 does not affect Windows Vista, even though the coding bug is there. Why?

The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically detects integer overflows at runtime. All of Windows Vista is compiled with this compiler.

You can read more about this compiler change in a previous blog.

The moral of this story is developers will never find all code-level security bugs, so you need other defenses. Just in case!

by michael_HOWARD
Filed under: ,

Comments

# Guillaume said on January 11, 2007 7:40 AM:

Good news !

But I wonder : while not a security issue, it is still a bug. Do you know what is Microsoft's patching policy in this case ?

If this bug sets the trend, it will only be corrected in the next release of vgx.dll, either via some unfortunate security issue or a service pack.

ps: I loved the SDL book !

# Defense-in-depth Protects Vista from Vulnerability - Windows Vista help said on January 11, 2007 8:09 AM:

PingBack from http://www.vistaclues.com/defense-in-depth-protects-vista-from-vulnerability/

# Weber Ress said on January 11, 2007 12:17 PM:

Hi Michael,

And about Visual C++ Express Edition ? Have the same control of integer overflows at runtime ? I search the Express documentation, but I don't found information about this feature.

Best !

Weber Ress

# Weber Ress said on January 11, 2007 12:30 PM:

Portuguese version of this post.

http://www.weberress.com/2007/01/defesa-em-camadas-protege-windows-vista.html

# michael_HOWARD said on January 11, 2007 12:55 PM:

Guillaume, we issue security patches for security bugs only :)

# Susan said on January 11, 2007 1:02 PM:

Release candidate is though.

http://www.microsoft.com/downloads/details.aspx?familyid=052484bf-2fd4-4922-b1a9-1f0da9bc727b&displaylang=en&tm

This update addresses the vulnerability discussed in Microsoft Security Bulletin MS07-004. To find out if other security updates are available for you, see the Overview section of this page.

# Dean Harding said on January 11, 2007 5:38 PM:

Guillaume: It's not a bug at all in the case of Vista. You're passing in what is essentially invalid VML. That Vista fails to load it is perfectly fine. That Windows XP (et al) DO NOT fail is where the bug is.

At least, that's how I understand it.

# Softwareentwicklung ist COOL! said on January 12, 2007 5:57 AM:

Im Webcast über " Security-Helferlein " war es noch die graue Theorie, hier ein Beispiel aus der Praxis:

# WebLog de Stéphane PAPP [MSFT] said on January 12, 2007 4:04 PM:

Traduction française du billet de Michael HOWARD : Why Windows Vista is unaffected by the VML Bug Le

# Robert Burke's Weblog said on February 1, 2007 12:15 PM:

[Default] Spotlight on: Windows Vista Innovate on Windows Vista Innovate on Windows Vista helps fast-track

# Dave said on February 5, 2007 8:55 AM:

How does the Visual Studio compiler's security protection compare with, say GCC's '-fstack-protector' and '-D_FORTIFY_SOURCE' options?

# michael_HOWARD said on March 16, 2007 4:27 PM:

Dave, first -GS (stack protection) is enabled by default, is it enabled by default in GCC? second, the fortify source sounds like something we have in the VC++ 2005 http://blogs.msdn.com/michael_howard/archive/2005/02/03/366625.aspx

New Comments to this post are disabled
Page view tracker