Microsoft 's failure to spot the animated cursor bug in Windows Vista could be a disconcerting sign that Vista's security-oriented development process slipped up, researchers have suggested.
This week, Microsoft issued an out-of-cycle fix for a vulnerability that's been exploited since at least March 28 by hackers armed with malicious .ani files. Every supported version of Windows contained the bug, including Vista.
The fact that Vista was affected rang alarm bells with security researchers, who recalled that an update more than two years ago addressed the same section of Windows code. That bug, fixed by the MS05-002 patch, also involved animated cursors and icon files, and updated the User32.dll file. That file was also replaced in this week's MS07-017 update.
Earlier this week, Mark Miller, director of the Microsoft Security Response Center, acknowledged that the failure to spot the new ANI bug when developers reviewed the vulnerable code in 2005 was a breakdown. "We're doing an analysis of why we didn't find it then," Miller said.
Security researchers weren't so kind.
"You have to take some points away from Microsoft for not catching this," said Amol Sarwate, manager of Qualys. "The No. 1 step before trying to find new vulnerabilities in [something like Vista] is to test older ones, or exploit variants against older vulnerabilities."
Oliver Friedrichs, director of Symantec Corp.'s security response team, agreed. "Given the investment it's made and SDL [Microsoft's Security Development Lifecycle], we would have hoped Microsoft had found this then," said Friedrichs. "I'd call it 'somewhat of a failure,' because frankly, these vulnerabilities are very, very difficult to find. Vulnerability research is more of an art, less of a science."
Microsoft hasn't made it a secret that it recycled old code when creating Windows Vista. Starting from scratch in every instance, said Friedrichs, would have been "simply impossible." But Microsoft has heavily publicised the SDL process it used to craft Vista, and how in earlier products, such as SQL Server 2005, SDL drastically reduced the number of bugs. As part of the SDL process, developers are to conduct one or more security code reviews.
"They are a crucial step in the process of removing security vulnerabilities from software during the development process," Microsoft said in a posted outline of SDL.
But for some, Vista's security promise met reality with the ANI bug.
"I wouldn't say that SDL is a total failure, but if we keep seeing newer vulnerabilities and ones based on older flaws, then I would have to question the entire process," said Sarwate. "At the least, it definitely opens the door to hackers to go back and look in older vulnerabilities and try exploits of those on Vista."
Symantec's Friedrichs was even more forgiving. "Microsoft appears to have succeeded in its overarching goal of making Vista more secure, but it, and SDL, cannot solve all of Vista's security problems." What the ANI vulnerability shows, he added is that "you can put a significant amount of funding and effort to secure an OS, and you still won't find all the bugs."
Microsoft's Stephen Toulouse, senior product manager for the company's trustworthy computing group, echoed Friedrichs in a recent blog, where he dismissed charges the ANI flaw showed SDL to be a total failure.
"The goal of the SDL is two-fold: to reduce vulnerabilities and make a product more resistant to attack if a vulnerability is discovered," Toulouse said. "There is no process, anywhere, that anyone can say 'Well, this should have caught this vulnerability 100 percent all the time.'"