And of the SDL

Apr 27, 2007 13:15 GMT  ·  By

A month after McAfee performed the Windows Vista suicide on video, Microsoft is coming up with an explanation and a eulogy. Microsoft's touted most secure Windows platform could be crashed by nothing more than a malformed animated cursor. Craig Schmugar, virus research manager with McAfee demonstrated how Windows Vista could be rendered useless by dropping a malicious .ani file to the operating system's desktop. The operating system would enter into a perpetual "crash-restart" loop.

Of course that the Windows Animated Cursor Handling vulnerability no longer posses any real danger, as Microsoft has issued an out of band security update on April 3rd, 2007. But some questions still remained unanswered even with the out-of-cycle security patch, questions related to the efficiency of Microsoft's Security Development Lifecycle in respect to Windows Vista.

"The Microsoft Security Response Center or any planned security response to an issue doesn't necessarily mean that SDL is ineffective or not working. Actually, having a security response plan and the existence of the Microsoft Security Response Center is part of a healthy and robust implementation of SDL. No matter how good an implementation of an SDL is, the software will always be developed to be the most secure it can be for that point in time. Essentially, the threat landscape may change or transform in ways that one could not have accounted for and thus it will always be necessary to know which parts of the organization need to be mobilized to address the concerns and release an update," revealed Adrian Slone, Security program Manager with the MSRC.

Microsoft security guru Michael Howard, confirmed that one of the core purposes of the SDL is to learn; to learn from each vulnerability and from each security update and include the results in the future development of the Microsoft products. A scenario of avoiding past mistakes if you will... And - according to Howard - the SDL team had indeed much to learn about the .ANI file format vulnerability. You can find the Vista suicide eulogy here.

"SDL is not perfect, nor will it ever ever be perfect. We still have work to do, and this bug shows that. We have a new -GS pragma that adds more stack cookies; we've updated our fuzz tools; we will pay closer attention to exception handlers that could mask vulnerabilities, and we will investigate the impact of banning memcpy for new code. Finally, we will update our education as necessary with lessons learned from this bug," Howard concluded.