Microsoft explains how it missed critical IE bug

Developers missed a critical bug in Internet Explorer because they weren't properly trained and didn't have the right testing tools, an insider reveals.

Microsoft's developers missed a critical bug in Internet Explorer because they weren't properly trained and didn't have the right testing tools, a noted proponent of the company's secure code development process acknowledged last week.

The bug, which Microsoft patched last week with an emergency update, had gone undetected for at least nine years.

In an insider's description on Microsoft's Security Development Lifecycle blog, Michael Howard, a principal security program manager with the company, offered a postmortem analysis of the IE vulnerability and Microsoft's code-writing and reviewing process.

Howard, who is perhaps best known for co-authoring the book Writing Secure Code , said the flaw was a "time-of-check-time-of-use" bug in how IE releases data binding objects.

The vulnerability was not found by programmers because they had not been told or taught to look for them in such cases, Howard said. "Memory-related [time-of-check-time-of-use, or TOCTOU] bugs are hard to find through code review," he said. "We teach TOCTOU issues, and we teach memory corruption issues, and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues."

Microsoft's testing tools -- including "fuzzers," automated tools that drop data into applications, file formats or operating system components to see if, and where, they fail -- also missed the bug, Howard admitted.

"In theory, fuzz testing could find this bug, but today there is no fuzz test case for this code," he said. "Triggering the bug would require a fuzzing tool that builds data streams with multiple data binding constructs with the same identifier. Random (or dumb) fuzzing payloads of this data type would probably not trigger the bug, however."

Howard said that Microsoft would update its developer training to account for memory-related TOCTOU bugs like this one.

Several parts of Windows' security toolkit didn't help protect users from exploits of this bug, Howard added, including ALSR and NX, technologies available only in Windows Vista and Windows Server 2008. "Even though Windows Vista and Windows Server 2008 have both ASLR and NX enabled by default, Internet Explorer 7 does not opt-in to these defenses owing to compatibility issues with many common applications," Howard noted.

Before Microsoft released last week's patch and after it had confirmed that attacks were in progress, it urged users to take countermeasures, including enabling DEP (data execution prevention), another term for NX, in IE7.

Another Microsoft defense, however, did protect users running Vista or Server 2008, said Howard, who argued that "Protected Mode" did its job. Protect Mode essentially "sandboxes" IE and its add-ons so that actions taken within the browser are prevented from accessing the operating system generally.

"When the exploit code runs, it's running at low integrity because IE runs at low integrity," Howard said, "and this means the exploit code cannot write to higher integrity portions of the operating system, which is just about everywhere."

Those defensive technologies could not protect users of Window XP, which remains the most widely used version of Windows by a margin of more than 3:1 over Vista.

Howard also speculated that the bug may have been found by hackers armed with custom fuzzers, which Microsoft itself has not crafted for its own testing.

"I think this bug is a great example of 'you will never get the code 100% right, so multiple defenses are critical'," Howard said. "[And] if there is one other lesson from this, it's that we, the software industry, need to work harder to make sure applications take advantage of the defenses offered in Windows today."

The data binding bug was present in all still-supported versions of IE, including IE5.01, which was released in November 1999. The patch can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?