Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
Why Windows Vista is unaffected by the VML Bug

MS07-004 does not affect Windows Vista, even though the coding bug is there. Why?

The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically detects integer overflows at runtime. All of Windows Vista is compiled with this compiler.

You can read more about this compiler change in a previous blog.

The moral of this story is developers will never find all code-level security bugs, so you need other defenses. Just in case!

Posted: Wednesday, January 10, 2007 7:43 PM by michael_HOWARD
Filed under: ,

Comments

Guillaume said:

Good news !

But I wonder : while not a security issue, it is still a bug. Do you know what is Microsoft's patching policy in this case ?

If this bug sets the trend, it will only be corrected in the next release of vgx.dll, either via some unfortunate security issue or a service pack.

ps: I loved the SDL book !

# January 11, 2007 7:40 AM

Defense-in-depth Protects Vista from Vulnerability - Windows Vista help said:

PingBack from http://www.vistaclues.com/defense-in-depth-protects-vista-from-vulnerability/

# January 11, 2007 8:09 AM

Weber Ress said:

Hi Michael,

And about Visual C++ Express Edition ? Have the same control of integer overflows at runtime ? I search the Express documentation, but I don't found information about this feature.

Best !

Weber Ress

# January 11, 2007 12:17 PM

Weber Ress said:

Portuguese version of this post.

http://www.weberress.com/2007/01/defesa-em-camadas-protege-windows-vista.html

# January 11, 2007 12:30 PM

michael_HOWARD said:

Guillaume, we issue security patches for security bugs only :)

# January 11, 2007 12:55 PM

Susan said:

Release candidate is though.

http://www.microsoft.com/downloads/details.aspx?familyid=052484bf-2fd4-4922-b1a9-1f0da9bc727b&displaylang=en&tm

This update addresses the vulnerability discussed in Microsoft Security Bulletin MS07-004. To find out if other security updates are available for you, see the Overview section of this page.

# January 11, 2007 1:02 PM

Dean Harding said:

Guillaume: It's not a bug at all in the case of Vista. You're passing in what is essentially invalid VML. That Vista fails to load it is perfectly fine. That Windows XP (et al) DO NOT fail is where the bug is.

At least, that's how I understand it.

# January 11, 2007 5:38 PM

Softwareentwicklung ist COOL! said:

Im Webcast über " Security-Helferlein " war es noch die graue Theorie, hier ein Beispiel aus der Praxis:

# January 12, 2007 5:57 AM

WebLog de Stéphane PAPP [MSFT] said:

Traduction française du billet de Michael HOWARD : Why Windows Vista is unaffected by the VML Bug Le

# January 12, 2007 4:04 PM

Robert Burke's Weblog said:

[Default] Spotlight on: Windows Vista Innovate on Windows Vista Innovate on Windows Vista helps fast-track

# February 1, 2007 12:15 PM

Dave said:

How does the Visual Studio compiler's security protection compare with, say GCC's '-fstack-protector' and '-D_FORTIFY_SOURCE' options?

# February 5, 2007 8:55 AM

michael_HOWARD said:

Dave, first -GS (stack protection) is enabled by default, is it enabled by default in GCC? second, the fortify source sounds like something we have in the VC++ 2005 http://blogs.msdn.com/michael_howard/archive/2005/02/03/366625.aspx

# March 16, 2007 4:27 PM
New Comments to this post are disabled
Page view tracker