Feeds

Firm finds danger in dangling pointers

New buffer overflow threat

The Essential Guide to IT Transformation

In December 2005, technology consultant Inge Henriksen announced he had found a flaw in Microsoft's flagship web server platform, Internet Information Server (IIS) 5.1.

Yet, because the vulnerability appeared impossible to exploit, Microsoft put off patching the issue.

The programming problem represented a fairly common developer mistake, but one that is generally thought to cause instability, not insecurity. Known as a dangling, or wild, pointer, the flaw was caused by an IIS service process that attempted to use memory that was already freed by the program. At the time, exploiting the flaw only appeared to crash the program.

"In other words, this is not a buffer/stack overflow exploit and it will therefore not enable anyone to execute code on the web server," Henriksen wrote on his blog at the time. "But then again, I'm not sure on this issue and someone might prove me wrong."

As it turns out, Henriksen and Microsoft were both wrong. More than a year and a half later, two researchers at security-audit firm Watchfire discovered a way to exploit the dangling point issue. What's more, the researchers - Jonathan Afek and Adi Sharabani - have found a method of exploiting a broad class of dangling pointers and plan to detail the process next week at the Black Hat Security Briefings in Las Vegas.

The discovery means that developers and security researchers need to start considering dangling pointers as security problems as serious as buffer overflows, said Danny Allan, director of security research for Watchfire.

"The dangling pointer was reported to Microsoft in 2005, and they never patched it - that is indicative where dangling pointers are right now," Allan said. "It remained unpatched for two years because they didn't consider it a security problem, but a quality problem."

A dangling pointer is a software bug that occurs when a programmer creates an object in memory, uses the object, frees up the memory for reuse and then mistakenly tries to access the object again. The portion of memory previously allocated to the object may no longer have the expected data. Instead, the memory likely has meaningless data, or in the case of an exploitable dangling pointer, could have malicious code.

While other researchers have found exploitable dangling pointers, most developers believe that the flaw is a quality-control issue, not a security problem, Watchfire's Allan said.

"That is where most companies are today," he said. "They don't patch these things very quickly."

In the case of the IIS 5.1 flaw, it took Microsoft 21 months to patch the issue. While some security experts didn't rule out the possibility that the IIS flaw could be used to execute code, Microsoft apparently agreed with Henriksen's assessment and promptly put patching the flaw on the back burner, promising to fix the issue in Windows XP Service Pack 3, which at the time was a year away.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.