Microsoft Cites Lack Of Training For Missing Critical IE Bug
Microsoft released an emergency, out-of-band security patch last week repairing a critical error affecting the IE Web browser. The vulnerability stemmed from a fundamental flaw in the browser's data-binding function that ultimately left a gaping hole in the memory space that could be accessed and exploited by remote hackers.
In Microsoft's "Security Development Lifecycle" blog post, Michael Howard, the company's principal security program manager, said that researchers overlooked some critical factors that would have led to the bug's detection. The oversight was due, in part, to lack of training and an inadequate review process.
"Every bug is an opportunity to learn, and the security update that fixed the data-binding bug that affected Internet Explorer users is no exception," Howard said. "We really don't know how the bug was found, but some of the security people in Internet Explorer and the Trustworthy Computing Security teams suggest that the bug was either 'stumbled upon' or found through directed fuzzing."
Howard said that this particular IE flaw fell outside researchers' realm of training -- the bug wasn't a heap corruption vulnerability and therefore standard detection procedures were ineffective. While proper testing could have detected the error, the process would have been challenging and complex, Howard said.
"Memory related TOCTOU bugs are hard to find through code review; we teach TOCTOU issues and we teach memory corruption issues and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues," he said. "In theory, fuzz testing could find this bug. But today there is no fuzz test case for this code."
"Triggering the bug would require a fuzzing tool that builds data streams with multiple data-binding constructs with same identifier," he added.
Despite the emergency update, Microsoft was unable to prevent a spate of attacks by hackers who exploited the vulnerability by reverse engineering the patch. Security researchers first saw evidence of attacks shortly following Microsoft's "Patch Tuesday" monthly security bulletin release Dec. 9, and have since seen active exploitation rapidly spread in the wild.
Unlike other exploits that require users to download malicious software or open an infected file, users have only to visit a Web site infused with Trojans or other malware in order to become infected. Hackers can also lure victims to open a specially crafted site, typically with some kind of phishing or social engineering play, or by installing malicious code that exploits vulnerabilities on legitimate sites.
However, there were defenses that worked to protect users from becoming infected -- namely Internet Explorer's Protected Mode on Windows Vista.
Howard said Microsoft planned to update its training to accommodate these kinds of memory errors.
"If there is one other lesson from this, it's that we, the software industry, need to work harder to make sure applications take advantage of the defenses offered in Windows today," Howard said.
"This is one of those things that makes security hard -- security is a highly asymmetric problem. Software developers must get the code right 100 percent of the time in a very short amount of time, while attackers can spend as long as they want to find one bug," he said. "This isn't an excuse; it's a fact of life."
