Microsoft explains how the ANI bug got baked into Vista

ANI vulnerability revealed more holes in Vista's security components

In a postmortem of last month's Windows animated (.ANI) cursor vulnerability, one of Microsoft's security development gurus Friday spelled out how the bug sneaked into Vista.

Michael Howard, an authority on Microsoft's Security Development Lifecycle (SDL) -- a multipart initiative that aims to get developers to design more secure code -- posted an extensive entry on the brand-new SDL blog that outlined lessons learned from the ANI vulnerability. "SDL is not perfect, nor will it ever be perfect," Howard acknowledged Thursday. "We still have work to do, and this bug shows that."

That bug, which first surfaced late last month and posed enough of a threat that Microsoft went out of cycle to patch it, affected all older editions of Windows as well as the newest, and supposedly more secure, Windows Vista. Some security researchers, in fact, took Microsoft and its SDL process to task for not catching the flawed code as Vista was written, debugged, tested and polished.

Some of those same researchers immediately weighed in on the unusual mea culpa by Microsoft. "This is really out of character," said Jonathan Bitle, the manager of the technical accounts team at Qualys. "Microsoft historically has played security issues much closer to the vest."

Oliver Friedrichs, director of Symantec's security response team, was a bit tougher in questioning Microsoft's motives. "They're attempting to be more transparent to explain why this vulnerability was missed. They received a lot of criticism for not catching this earlier and for letting it into Vista, and I think this was one of the only ways for them to explain both to the technical and the management-level communities how they actually missed it."

Specifically, Howard called out flaws that the ANI vulnerability revealed in Vista's security components, as well as in Microsoft's development tools and processes.

The /GS switch, a function of Microsoft Visual Studio's compiler that's designed to protect stack variables from overflows that could result in arbitrary code execution, was one. Some third-party researchers, notably Ollie Whitehouse of Symantec, have criticized Microsoft for not /GS compiling all of Vista's binaries. Turns out, however, that in the ANI case, that wasn't the problem.

"Because there are no candidate buffers on the function's stack, there is no /GS cookie added to the stack, even though the code is compiled with /GS," said Howard. "This is not the first time we've seen code with no cookie, and this has made us rethink the heuristics used by the compiler when it determines whether to place a cookie on the stack or not."

Another Vista security feature, Address Space Layout Randomization (ASLR), which is supposed to randomly assign data to memory to make it tougher for attackers to determine the location of critical OS functions, also didn't have the intended impact on the ANI vulnerability. "If the vulnerable code is wrapped in an exception handler that catches many errors [as was the animated cursor code], a failed attempt will not crash the component and the attacker can try again with a different set of addresses," Howard said. David LeBlanc, also of Microsoft and the co-author with Howard of the just-released book Writing Secure Code for Vista, blogged about the danger of using exception handlers on April 3, the same day that Microsoft patched the ANI bug.

"I've said a lot of times that incorrect use of exception handlers will get you hacked," LeBlanc warned at the time.

Howard backed him up: "[An exception handler] can usually be good for reliability, but it has an interesting security side effect. By itself [its] 'catch everything' construct is not a security bug, but it can aid an attacker if the exception handler wraps vulnerable code."

Some of Microsoft's own development and testing tools also failed to flag the code, which Howard said was taken from Windows 2000, a seven-year, two-month-old operating system.

"Our static analysis tools do not flag this construct as a security bug because it's a very low-priority warning," admitted Howard. Why? "Code that uses calls such as 'memcpy' is hard to flag as vulnerable without generating a great many false positives. This is a research problem that no one has solved, here or elsewhere." Howard said Microsoft will investigate further and may ban calls like memcpy in new code to prevent a recurrence.

Fuzz testing, which drops random data into applications or operating system components to see if -- and where -- breakdowns occur, also missed the bug. "The animated cursor code was fuzz-tested extensively per the SDL requirements," said Howard. "[But] it turns out none of the .ANI fuzz templates had a second 'anih' record. This is now addressed, and we are enhancing our fuzzing tools to make sure they add manipulations that duplicate arbitrary object elements better."

These moves, warned a commenter to Howard's blog, are only cosmetic fixes. "Security has to be written right into the code; you can't add it in later with a bit of compiler magic," said someone identified as Xepol. "Pretending you can 'fix' old code with a few compiler flags is going to result in problems like this repeating endlessly. At some point, you have to stop, go back and fix the foundation, or you might as well be building on quicksand."

Both Bitle and Friedrichs sounded a similar clarion call. "What Microsoft highlighted here is that while the SDL is thorough, reused code is going to be their downfall," said Bitle. "Old code will be the Achilles' heel of SDL."

"This is the gap that we're seeing in the [SDL] process," added Friedrichs, "in that flawed legacy code can make it into a current version of Windows. And this gives them an incentive to analyze that legacy code. I would if I were in their shoes."

"They're obviously recognizing that detecting these vulnerabilities is getting more complicated, and they must get more complex in their response," said Bitle.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?