Windows Vista Is Unaffected by the VML Vulnerability

Michael Howard is a Security Product Manager with Microsoft. Following Microsoft's January release of the company's monthly security bulletins, Howard addressed the relation between a vulnerability in Vector Markup Language that could allow Remote Code Execution and Windows Vista on his blog.

Microsoft Security Bulletin MS07-004 specifies that Windows Vista is not affected by the VML vulnerability. The patch released by Microsoft on January 9, 2007 addresses only Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1, Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 x64 Edition.

“The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically detects integer overflows at runtime. All of Windows Vista is compiled with this compiler,” is Howard's explanation for Vista's immunity when it comes to the VML vulnerability.

Michael Howard revealed that Windows Vista contains the coding bug. But the fact that the operating system has integrated the VS 2005 compiler means that Vista will not be susceptible of an integer overflow that will allow remote code execution.

As a self entitled “Simple Security Guy at Microsoft,” Michael Howard also identified a conclusion in this experience. “The moral of this story is developers will never find all code-level security bugs, so you need other defenses. Just in case,” he noted.