MS Mulling Changes to Thwart .ANI-type Attacks

Scada Moosh writes "ZDNet has a story about the lessons Microsoft learned from the recent animated cursor (.ani) attacks and some of the broad changes being made to flag this type of vulnerability ahead of time. The changes include a possible addition to the list of banned API function calls, more aggressive checks for buffer overruns and enhancements to existing fuzz testing tools. '[Michael] Howard said Microsoft will "rethink the heuristics" used by the /GS compiler to flag certain issues. "Changing the compiler is a long-term task. In the short-term, we have a new compiler pragma that forces the compiler to be much more aggressive, and we will start using this pragma on new code," he added. Two other Windows Vista security mechanisms -- ASLR and SafeSEH -- were also in place to catch code failures but, in the case of the .ani bug, Howard said the attackers were able to wrap vulnerable code in an exception handler to find ways around those mitigations.'"

Re:Maybe...

Is it a male dinosaur?

Related news

[140Mandak262Jamuna]

Old Bill's Livery and Horse Trading post announced that they have decided to strengthen the windows of the stable because horses were being stolen with surprising regularity. When the reporters queried the wisdom of strengthening the windows while the door is wide open and unlocked, Old Bill's assistant Steve threw the straw bales he was sitting on at the reporters.

Windows - be careful!

[codergeek42]

Always remember to practice SafeSEH by using the CON dev. :)

Re:What is a banned API call?

[0xABADC0DA]

Probably because instead of the banned strncpy Microsoft are using strcpyEx, which includes an extra parameter "iAllowDeny". When set to 1, this prevents buffer overflows. But because of the unfortunate name, some programmers think it will 'allow' exploits so they set it to 0.

If only Microsoft would add a C++lippy to MSVC to clear up these kinds of things.