HomeBlogsMacRonin's blog

Researchers question Vista security after ANI exploit

April 6, 2007 - 6:58pm — MacRonin

Researchers question Vista security after ANI exploit: Microsoft Corp.'s failure to spot the animated cursor bug in Windows Vista is, at best, a flag to hackers that old flaws may abound in the new operating system, researchers said today. At worst, it's a disconcerting sign that Vista's security-oriented development process slipped up.

This week, Microsoft issued an out-of-cycle fix for a vulnerability that's been exploited since at least March 28 by hackers armed with malicious .ani files. Every supported version of Windows contained the bug, including Vista.

The fact that Vista was affected rang alarm bells with security researchers, who recalled that an update more than two years ago addressed the same section of Windows code. That bug, fixed by the MS05-002 patch, also involved animated cursors and icon files, and updated the User32.dll file. That file was also replaced in this week's MS07-017 update.

Earlier this week, Mark Miller, director of the Microsoft Security Response Center, acknowledged that the failure to spot the new ANI bug when developers reviewed the vulnerable code in 2005 was a breakdown. "We're doing an analysis of why we didn't find it then," Miller said.

Security researchers weren't so kind.

"You have to take some points away from Microsoft for not catching this," said Amol Sarwate, manager of Qualys Inc. "The No. 1 step before trying to find new vulnerabilities in [something like Vista] is to test older ones, or exploit variants against older vulnerabilities."

Oliver Friedrichs, director of Symantec Corp.'s security response team, agreed. "Given the investment it's made and SDL [Microsoft's Security Development Lifecycle], we would have hoped Microsoft had found this then," said Friedrichs. "I'd call it 'somewhat of a failure,' because frankly, these vulnerabilities are very, very difficult to find. Vulnerability research is more of an art, less of a science."

Microsoft hasn't made it a secret that it recycled old code when creating Windows Vista.

(Via Computerworld Security News.)


Bookmark/Search this post with: