Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Mulling Changes to Thwart .ANI-type Attacks

Posted by Zonk on from the thinking-around-the-problem dept.

Scada Moosh writes "ZDNet has a story about the lessons Microsoft learned from the recent animated cursor (.ani) attacks and some of the broad changes being made to flag this type of vulnerability ahead of time. The changes include a possible addition to the list of banned API function calls, more aggressive checks for buffer overruns and enhancements to existing fuzz testing tools. '[Michael] Howard said Microsoft will "rethink the heuristics" used by the /GS compiler to flag certain issues. "Changing the compiler is a long-term task. In the short-term, we have a new compiler pragma that forces the compiler to be much more aggressive, and we will start using this pragma on new code," he added. Two other Windows Vista security mechanisms -- ASLR and SafeSEH -- were also in place to catch code failures but, in the case of the .ani bug, Howard said the attackers were able to wrap vulnerable code in an exception handler to find ways around those mitigations.'"

19 of 99 comments (clear)

  1. Re:Maybe... by Anonymous Coward · · Score: 4, Funny

    Is it a male dinosaur?

  2. What is a banned API call? by solafide · · Score: 4, Interesting

    Does the banning of an API call mean that the call is still there, it just can't be officially used? Couldn't it still be used deviously to exploit it? Shouldn't we just remove the function from the API, not prevent the compiler from compiling code with that function being used?

    1. Re:What is a banned API call? by Rosyna · · Score: 3, Informative

      Take a gander at Microsoft's list. If the Safe options are on, the API is not available.

      It's all kinds of sexy... but basically, it removes functions in which programmers have frequently used incorrect or for which there is no absolutely correct way to use them and still validate user supplied data.

    2. Re:What is a banned API call? by VertigoAce · · Score: 2, Informative

      A banned API is one that is likely to cause security vulnerabilities. There are replacements for most of them that are less likely to have problems, but they aren't part of the official C standard library.

      Microsoft's build tools will treat any calls to banned APIs as errors. They aren't removed from the system because they are used by many existing applications. For example, both strcpy and strncpy are banned at Microsoft. Yet many people have been using strncpy as a replacement for strcpy, so it needs to be in the CRT library.

    3. Re:What is a banned API call? by 0xABADC0DA · · Score: 2, Funny

      Probably because instead of the banned strncpy Microsoft are using strcpyEx, which includes an extra parameter "iAllowDeny". When set to 1, this prevents buffer overflows. But because of the unfortunate name, some programmers think it will 'allow' exploits so they set it to 0.

      If only Microsoft would add a C++lippy to MSVC to clear up these kinds of things.

  3. Default deny policy by sd.fhasldff · · Score: 3, Insightful

    While risking being out of sync with Slashdot's schizophrenic stance on Microsoft-bashing, let me lower my hammer on this one:

    "The changes include a possible addition to the list of banned API function calls"

    That's exactly the problem with security under Windows! (okay, there are other problems as well)

    Microsoft needs to apply a "default deny" policy to all aspects of Windows' security and this sort of thing wouldn't be a problem in the first place. There shouldn't be a list of BANNED calls, there should be a list of safe ALLOWED calls.

    I'm not saying that other operating systems couldn't do a better job too, but security is one (huge) area where Microsoft really and truly sucks - and it isn't something they can solve overnight, either. It seems ingrained in their philosophy and permeates all aspects of Windows (and other products).

  4. Related news by 140Mandak262Jamuna · · Score: 5, Funny

    Old Bill's Livery and Horse Trading post announced that they have decided to strengthen the windows of the stable because horses were being stolen with surprising regularity. When the reporters queried the wisdom of strengthening the windows while the door is wide open and unlocked, Old Bill's assistant Steve threw the straw bales he was sitting on at the reporters.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  5. Incremental approach. by RightSaidFred99 · · Score: 3, Insightful
    The main problem is that complex software is just hard to secure. And not just complex MS software - they are not the only ones suffering these kinds of vulnerabilities.

    This incremental approach will eventually result in operating systems that are secure to all but the most sophisticated local attacks. You can't stop the attack where someone just downloads something and blindly runs it. Unlike most people, I don't think computer OS's and apps will always be as insecure as they have been for the last 15 years since the explosion of the Internet to the masses.

    It may take another 5 years, but I think we're getting there. Vista isn't perfect, but it's a step closer.

  6. For starters.... by Himring · · Score: 2, Insightful

    Don't allow IE to load a cursor with a .jpg extention....

    --
    "All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
  7. Windows - be careful! by codergeek42 · · Score: 2, Funny

    Always remember to practice SafeSEH by using the CON dev. :)

  8. What Microsoft REALLY Needs To Do... by Zero_DgZ · · Score: 3, Insightful

    ...Is re-evaluate what the true purpose of the operating system is, and stick to it instead of tacking so much nonsense to the abomination that today we call Windows.

    Microsoft made a big to-do about "focusing on security" in the development of Windows Vista, but instead spent all this time A) spackling over the screwball security holes that the superfluous bits of the last version of the operating system created, and B) bolting on more superfluous bullshit.

    The pattern of flagrant Windows/Microsoft security breaches has traditionally involved the fracal-like fuzz of superfluous features surrounding Windows. It simply tries to be too much. How many times have we heard about some hole in Internet Explorer that lets l33t h4xx0rs walk in and screw with your OS? Animated cursors opening security holes. ET-phone-home Windows Media player opening security holes. IIS subsystems on home user's computers opening security holes... Ad infinitum.

    You want a web browser on your PC? Install a web browser. It shouldn't be your OS'es job. You want animated cursors? Install a cursor manager. It shouldn't be the OS'es job. You want media players? Install a media player. It shouldn't be the OS'es job. Are we seeing the fucking pattern here, yet? If Microsoft could focus on the core of the operating system, making it the platform and the framework that the rest of your computing experience happens on instead of trying to make it the damn "multimedia/computing experience" itself I'll wager a significant portion of these stupid, smack-on-the-forehead sort of problems would go away. And if and when they did crop up, users affected could just patch or uninstall the affected browser/media player/cursor manager/whatever instead of having it permanently tied into their OS for the rest of time (heaven forbid, for example, users reinstalling Windows into it's stock, unpatched state).

  9. Innaccurate Summary by ThinkFr33ly · · Score: 2, Insightful

    Howard said the attackers were able to wrap vulnerable code in an exception handler to find ways around those mitigations. This is incorrect.

    Howard said that the vulnerable code happened to be wrapped in a very general try/catch block.

    This try/catch block, which was in the vulnerable code already, and not injected by the attackers, potentially allowed the attackers to repeatedly try different memory locations looking for system call addresses that were randomized by ASLR.

    Without this try/catch, the process would have crashed after the first failed attempt.

    In other words, liberal try/catch policies can potentially expose security vulnerabilities by giving bad guys more than one chance to do their bad deeds.

    Also, there were no reported instances of Vista being compromised. It is doubtful that the engineers of the various exploits targeted Vista, and therefor didn't take advantage of the try/catch issue to overcome ASLR since XP doesn't have ASLR. In addition, Protected Mode IE would have thwarted the attack even if they had.
  10. But I Thought... by Nom+du+Keyboard · · Score: 2, Interesting
    Wasn't Vista rewritten from scratch, rather than using the old NT code base? Isn't this wh it took an extra 3 years to arrive? Isn't this where there are still major compatibility errors in Vista compared to previous NT and Win95/98/ME versions?

    So what did they do here? Rewrite the .ANI handler by re-implementing the same bug as before?

    Or were we just lied to again, by Microsoft?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
    1. Re:But I Thought... by ThinkFr33ly · · Score: 4, Informative

      When did Microsoft ever claim to have rewritten Windows from scratch?

      I guess it's easy to be mad at Microsoft for lying when you put those lies in their mouth yourself.

    2. Re:But I Thought... by VertigoAce · · Score: 2, Informative

      It was delayed largely because they reset the project in late 2004. The original Longhorn was based off of the XP codebase. When they reset development they started from the Windows 2003 codebase (which was based off of the XP codebase). At no point did they claim that they were starting from scratch.

      Many of the compatibility problems are related to fixing bugs in the OS. Any time you change the behavior of the operating system you risk breaking some piece of code that relied on the old behavior. Notice that they fixed all of the known security bugs in XP, even though they haven't released patches for XP. With Vista, they can break compatibility to fix security flaws. Breaking apps that currently work on XP would cause major problems for companies.

  11. Security broke dragging files to cmd.exe by Myria · · Score: 5, Interesting

    Prior to Vista, you could drag files from Explorer to cmd.exe to have it type in the filename for you, exactly like on Mac. However, due to overzealous security changes by Microsoft, this does not work in Vista.

    In NT, console windows are actually owned by the most privileged user-mode process in the system, csrss.exe. One of Vista's big security changes is that processes cannot send window messages to windows owned by processes of higher security clearance. This means that Explorer cannot send a message to console windows telling them that there is a file being dragged to it. Starting Explorer as Administrator does not help, because csrss.exe runs with higher privilege than that.

    Rather than fix the insane design issue of csrss.exe owning console windows, they decided to leave it the way it is. Never mind that there have been exploits against csrss.exe through the console system in the past.

    To give you an idea of how bad of a hack the console implementation is, kernel32.dll's WriteFile detects console handles, which are fake handles, and translates the call into an RPC call to csrss.exe. This breaks all kinds of stuff.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  12. backwards by midnighttoadstool · · Score: 2, Interesting
    Here we go again.

    Another pointless discussion that doesn't acknowledge the depth of complexity of backwards compatability, and its commercial necessity.

  13. Re:When have they stopped saying that kind of thin by dedazo · · Score: 2, Insightful

    They used to do it regularly. NT stood for "New Technology."

    NT 3.0 was written from scratch. Please provide proof to the contrary, if you have it. Then, provide proof that *Microsoft* has claimed Vista is rewritten from scratch. And I said Vista, not Longhorn or anything else.

    I can't tell you how many times they declared the "death of DOS"

    I'd calculate that about the same number of times you've declared "M$ Winblows" was "dead".

    But I could be wrong.

    which they pay people to write

    Please provide proof of this. If true, it means that Microsoft has subverted the WP editorial controls, because for a closely-watched topic like that one, no matter how many times you edit it, someone will put your changes under the microscope. The vast majority of the Microsoft articles on WP are closely watched and by definition maintained free of harmful edits.

    So, let's see some proof of your claim.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  14. Comment removed by account_deleted · · Score: 2, Informative

    Comment removed based on user account deletion