Microsoft starts frantic bug hunt
Published: 10 Jan 2006 09:10 GMT
Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products.
The critical flaw, in the way WMF images are handled, is different to any security vulnerability the software maker has dealt with in the past, Kevin Kean and Debby Fry Wilson, directors in Microsoft's Security Response Centre, said in an interview with ZDNet UK sister site CNET News.com. Typical flaws are unforeseen gaps in programs that hackers can take advantage of and run code. By contrast, the WMF problem lies in a software feature being used in an unintended way.
In response to the new threat, the software company is pledging to take a look at its programs, old and new, to avoid similar side effects.
"Now that we are aware that this attack vector is a possibility, customers can be certain that we will be scrubbing the code to look for any other points of vulnerability based on this kind of attack," Fry Wilson said.
Microsoft has been working for years to improve its security posture, beginning with its Trustworthy Computing Initiative, launched in early 2002. The WMF problem is not a good advertisement for Microsoft's security efforts, one analyst said, as the legacy issue seemingly went undetected.
"This should have been caught and eliminated years ago," Gartner analyst Neil MacDonald said. "They overlooked image format files, and that is where this WMF issue came in."
Microsoft now faces a race with cybercriminals, who are probably on the prowl for the same bugs as well, experts said. The software maker is in a constant battle with miscreants who seek to attack computer users.
When WMF files were designed in the late 1980s, a feature was included that allowed the image files to contain computer code that could be executed on a PC, said Mikko Hyppönen, chief research officer at Finnish security company F-Secure.
"This was not a bug; this was something that was needed at the time," Hyppönen said. "It is just bad design, design from another era." The graphics file format was introduced with Windows 3.0 in early 1990. Executable code in the image file could help abort the processing of large images on the slow systems of yesteryear, security experts said.
Ilfak Guilfanov, a European software developer who made headlines by beating Microsoft to the punch with a fix for the Windows flaw, agreed. "WMF was designed a long time ago, when information security was not considered an essential part of software design," he said.
Trojan horses, instant messaging worms and thousands of Web sites were found to attack users with specially crafted WMF files. A vulnerable Windows computer might have been compromised simply if the user visited a Web site that contained a malicious image file, or opened such a file in an email message or an Office document.
Many of the attacks installed spyware or other unwanted programs on the PCs of unwitting Windows users. At least a million computers were compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. The WMF issue is also expected to be a conduit for many future threats, experts have said.
Response speed
Microsoft's fix for the flaw was the quickest turnaround ever for a
Microsoft patch, released only 10 days after the vulnerability was made
public, Fry Wilson said.
While Microsoft was able to repair the problem...
For more, click here...
Previous
Did you find this article useful?
158 out of 305 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
3 comments
-
I thought their goal was to let the consumer find... Oldator -
At this point, wouldn't it be easier for Microsoft... Richard Finkelstein
-
The common (and certainly correct) assumption is t... Anonymous
