Feeds

Redmond security guru explains IE vuln miss

The one that got away

Top 5 reasons to deploy VMware with Tegile

A Microsoft insider has posted an explanation for the firm's failure to spot a critical flaw in Internet Explorer that obliged the firm to publish an out-of-sequence patch earlier this month.

Michael Howard, a principal security program manager with the software giant, explains that the flaw cropped up in a blind-spot developers weren't trained to scour for potential flaws. Human error is always a factor in developing secure code and sometimes fuzzing tools can help unearth error. Unfortunately, in this case, testing tools weren't up to the job either.

Howard explained that the flaw involved a "time-of-check-time-of-use" bug in how Internet Explorer handles data binding objects. "Memory-related [time-of-check-time-of-use, or TOCTOU] bugs are hard to find through code review," Howard writes in a post to Microsoft's Security Development Lifecycle blog. "We teach TOCTOU issues, and we teach memory corruption issues, and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues."

Automated tools that throw a range of tests data at applications in order to look for problems also came unstuck, he adds.

"In theory, fuzz testing could find this bug, but today there is no fuzz test case for this code. Triggering the bug would require a fuzzing tool that builds data streams with multiple data binding constructs with the same identifier. Random (or dumb) fuzzing payloads of this data type would probably not trigger the bug, however."

Microsoft's security testers plan to update their testing methodology in order to look more closely for the class of vulnerability exploited by the recent IE flaw. Howard's technically literate post goes on to explain how defences built into Vista and Server 2008 mitigated against the bug. The post, which provides coding examples, illustrates the inherent problems of security testing, an issue developers well away from Redmond are obliged to grapple with every day. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.