...in record time, the company was surprised by the type of vulnerability.
"It is not a common buffer overflow," Kean said. "The software has a behaviour that people can take advantage of. Obviously we did not intend it to be used in that way."
Microsoft has learned from the WMF flaw and will put the lessons into practice, Fry Wilson said. The software maker will update its Security Development Lifecycle (SDL), a set of practices that Microsoft's developers follow to prevent security vulnerabilities in products. The process includes the software maker's threat-modelling system, which checks code for potential security problems.
"This kind of threat has not been anticipated before," Fry Wilson said. "We will be revising that information in the SDL process and redoing the threat-modelling system to make sure we are looking for this kind of attack or anything similar to it."
Microsoft should have already been hunting for this type of design problem, MacDonald said. "I would have expected the SDL to already include data file formats. It should be a basic part of any security life cycle," he said.
As part of its development process, Microsoft looks for a number of common mistakes developers can make. These mistakes can turn into security problems and allow attackers to hijack a PC. Some of the common problems the company looks for are buffer overflow, integer overflow and stack overflow, Kean said.
The SDL is updated every six months. Microsoft now has a team that looks at issues as they come up, which it did not have a couple of years ago. By keeping its security processes current, the software maker aims to avoid the need to reassign substantial developer resources to an all-out security review, a company representative said.
Ferreting through its code and adapting its development practices is the right thing for Microsoft to do, several security experts said. "Microsoft has to become more proactive in finding and fixing these holes," said Johannes Ullrich, the chief research officer at the SANS Institute.
Mike Murray, director of vulnerability and exposure research at nCircle, a vulnerability management company in San Francisco, agreed. "That's the only step they can really take," he said. "Because this is a new thing, it is going to be something that a lot of bug hunters, both the good guys and the bad guys, will look for."
Microsoft doesn't expect to find many issues similar to the WMF problem, Kean said. "I don't expect this to be common, but it is something that we are going to look for," he said.
Guilfanov disputes that the WMF issue is something completely new, but agrees that the problem is likely to be an isolated one. "Nothing is really new under the sun," he said. "It is a design flaw. There shouldn't be many, but a code review can't hurt."
The WMF issue is similar to problems with Office files in the past, Guilfanov said. "The code-in-data concept is very powerful, but can bite back if not used with great care," he said. "A control mechanism should be available to disable execution of embedded code. A similar control played a great role in alleviating the Word Macro virus issue."
Vulnerabilities in file format handling are increasingly being uncovered. That's because image formats are complicated, and applications have to support many image file types, experts have said. This has opened new ways for attackers to target computers.
The hunt for other flaws in the new species of bug is on. For example, security provider F-Secure is looking to see if Windows Mobile software is vulnerable to the WMF flaw. Hyppönen said he isn't sure whether Microsoft will find many design flaws like it: "I hope they don't, but I'm not holding my breath."
Talkback
I thought their goal was to let the consumer find the bugs and then find a patch or include it in the next OS update.
"Microsoft's fix for the flaw was the quickest turnaround ever for a Microsoft patch, released only 10 days "
I sure am glad it doesn't take Linux 10 days to issue patches.
At this point, wouldn't it be easier for Microsoft to locate the fewer lines of code WITHOUT bugs or "design flaws"? I don't understand, wasn't Windows V2 from the 1980s supposed to be when MS fixed the software made it stable, plug and play, and user friendly? It certainly saves them money being able to make the same promises with every future edition of Windows. I bet the 2020 edition advertises itself to be finally stable, secure, free of errors, user friendly etc.... MS must feel we are Charlie Brown to their Lucy with Windows being the football.
Richard Finkelstein
"I'm about to destroy your life's work...ok?"
The common (and certainly correct) assumption is that, as soon as a vulnerability is discovered in a MS product, malicious hackers start beating on the code in that area to see if they can turn up other exploitable flaws. One might think, then, that MS would do the same. An integer overflow vulnerability was discovered in WMF file rendering in early Nov. '05 and the ISC has received submissions of examples of attacks exploiting the (later) SetAbortProc vulnerability that were apparently in circulation as early as mid-Nov (thus seeming to prove the first assumption above). So - how does this square with Fry Wilson's claim that the MS patch was "the fastest turnaround ever"? Was MS not beating on WMF rendering trying to find other flaws from early-Nov on? Were they so incompetent that they couldn't develop a fix, even though third-party coders had one in a couple of days after the public revelation in late-Dec? Or did they simply not care?