Feeds

Firm finds danger in dangling pointers

New buffer overflow threat

High performance access to file storage

In December 2005, technology consultant Inge Henriksen announced he had found a flaw in Microsoft's flagship web server platform, Internet Information Server (IIS) 5.1.

Yet, because the vulnerability appeared impossible to exploit, Microsoft put off patching the issue.

The programming problem represented a fairly common developer mistake, but one that is generally thought to cause instability, not insecurity. Known as a dangling, or wild, pointer, the flaw was caused by an IIS service process that attempted to use memory that was already freed by the program. At the time, exploiting the flaw only appeared to crash the program.

"In other words, this is not a buffer/stack overflow exploit and it will therefore not enable anyone to execute code on the web server," Henriksen wrote on his blog at the time. "But then again, I'm not sure on this issue and someone might prove me wrong."

As it turns out, Henriksen and Microsoft were both wrong. More than a year and a half later, two researchers at security-audit firm Watchfire discovered a way to exploit the dangling point issue. What's more, the researchers - Jonathan Afek and Adi Sharabani - have found a method of exploiting a broad class of dangling pointers and plan to detail the process next week at the Black Hat Security Briefings in Las Vegas.

The discovery means that developers and security researchers need to start considering dangling pointers as security problems as serious as buffer overflows, said Danny Allan, director of security research for Watchfire.

"The dangling pointer was reported to Microsoft in 2005, and they never patched it - that is indicative where dangling pointers are right now," Allan said. "It remained unpatched for two years because they didn't consider it a security problem, but a quality problem."

A dangling pointer is a software bug that occurs when a programmer creates an object in memory, uses the object, frees up the memory for reuse and then mistakenly tries to access the object again. The portion of memory previously allocated to the object may no longer have the expected data. Instead, the memory likely has meaningless data, or in the case of an exploitable dangling pointer, could have malicious code.

While other researchers have found exploitable dangling pointers, most developers believe that the flaw is a quality-control issue, not a security problem, Watchfire's Allan said.

"That is where most companies are today," he said. "They don't patch these things very quickly."

In the case of the IIS 5.1 flaw, it took Microsoft 21 months to patch the issue. While some security experts didn't rule out the possibility that the IIS flaw could be used to execute code, Microsoft apparently agreed with Henriksen's assessment and promptly put patching the flaw on the back burner, promising to fix the issue in Windows XP Service Pack 3, which at the time was a year away.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.