MS08-067 and the SDL

About Microsoft’s MS08-67 security bulletin - Security and the Net

About Microsoft’s MS08-67 security bulletin - Security and the Net — Thu, 23 Oct 2008 22:12:25 GMT

PingBack from http://securityandthe.net/2008/10/23/about-microsofts-ms08-67-security-bulletin/

Security Bulletin MS08-067

Forefront & Security Blogs — Fri, 24 Oct 2008 00:55:03 GMT

Ich gehe davon aus, dass ihr alle davon gehört habt und auch schon den Patch überall drauf

Attack code for critical Microsoft bug surfaces

infoworld.com — Fri, 24 Oct 2008 03:28:48 GMT

Just hours after Microsoft posted details of a critical Windows bug, new attack code that exploits the

MS08-067 Released

Microsoft Teams & Staff — Fri, 24 Oct 2008 05:49:00 GMT

Hi, This is Christopher Budd. Following up on my post from last night, I wanted to let you know that

re: MS08-067 and the SDL

emmenjay — Fri, 24 Oct 2008 15:18:28 GMT

> First, the code in question is reasonably

> complex code to ... [snip] ... finding buffer

> overruns in loops, especially complex loops,

> is difficult to detect with a high degree of

> probability without producing many false

> positives.

I think you may have mistaken the reason for an excuse. Why do you have code that is too complex to review and/or analyse effectively? Why didn't the first code review reject it as bad code?

We (as an industry) understand the issues of complexity. We know that it hides bugs. It is **very** rare that a complex function cannot be reduced to a collection of simpler functions/classes/whatever.

Until we learn that complexity is evil, we'll keep having to make excuses as to why we missed a bug.

re: MS08-067 and the SDL

asteingruebl — Fri, 24 Oct 2008 19:54:38 GMT

Michael,

Any insight into how many places in the code you are doing similar things? Was this ever manually reviewed in depth? Was it detected on a "vulnerable" code path?

Apart from the specific coding error, are there other things that would have given you pause and/or made you want to rework this?

I'm thinking specifically about lots of manual string handling and pointer arithmetic. What if this had been written as another commenter suggested in a simpler fashion?

re: MS08-067 and the SDL

bcthanks — Sat, 25 Oct 2008 19:21:22 GMT

I agree with emmenjay. Somebody reviewed the source and did not flag it as dangerously hard-to-understand. Why?

"...successfully finding this bug would require a great deal of skill and luck."

Since Microsoft was forced to release an out-of-band patch, it means there is somebody out there that is very skilled and lucky to have found the bug and written an exploit.

re: MS08-067 and the SDL

fmerletti — Sun, 26 Oct 2008 21:54:34 GMT

citing[0]:

"This bug is pretty interesting, because it is in the same area of code as the MS06-040 [August 2006] buffer overflow, but it was completely missed by all security researchers and Microsoft. It's quite embarassing."

[0] http://www.phreedom.org/blog/2008/decompiling-ms08-067/

Microsoft out-of-band Security Bulletin (MS08-067) Webcast Q&A

Microsoft Teams & Staff — Tue, 28 Oct 2008 00:33:32 GMT

Is MS08-067 Wormable?

Jesper's Blog — Tue, 04 Nov 2008 15:18:16 GMT

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067 . Looking

MSDN FLASH IRELAND - INTERNATIONAL RESOURCES - 17 NOVEMBER 2008

Microsoft Ireland Blog — Wed, 19 Nov 2008 15:22:36 GMT

a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}

One Tool Does not Rule them All

The Security Development Lifecycle — Fri, 13 Feb 2009 00:44:13 GMT

Hello, Michael here... Over the last couple of years, I've released information about various Microsoft