SponsoredTweets referral badge

............Return to the Home Page

Microsoft Admits to Programming Cock-Up

20 Oct 2009 | 06:58 am | Category: General Computing, security      

Last Thursday came an acknowledgement from Microsoft that it had made an error when writing Windows, which had led to a security hole being left wide open in the code associated with its Server Message Block 2 file-and-print-sharing protocol which ships with Windows Vista, Windows 7 and Windows Server 2008.
cogs
More specifically, the error appears in two array references to ValidateRoutines[] . array index to both is the wrong variable: pHeader->Command should be pWI->Command.

The MS09-050 security bulletin released Tuesday states that as a result, "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

This code error was missed despite checks, in Windows Vista, and has only recently been detected by using a process known as fuzzing – subjecting software to a wide range of data input to see if, and where, it breaks. The bug was recently detected very late  in the Windows 7 development process, and although it did appear both in the beta and Release Candidate versions of 7, it has been patched in the RTM copies of Windows 7, due for sale later this month. (October 2009)

 

 


Microsoft has now patched this vulnerability in its biggest-yet Patch Tuesday on 13th October 2009. Both independent analysts and Microsoft themselves have advised all users to put the MS09-050 patches on a high-priority list, as some exploit-code is already in the public domain, and other exploit code with a bigger sting in its tail will most likely follow.

While all this was obviously down to a rather serious human error, it’s not exactly practical for Microsoft to keep checking every one of the millions of lines of code that go to make up its operating systems manually: The most practical method of checking out the systems is the above-mentioned fuzzing; which did discover the above vulnerabilities just in time. Other than that; this issue also goes to prove that even software-giants are fallible and prone to human error.

What do you think about all this? Please comment below.

There’s a hole in my program,
Steve Ballmer, Steve Ballmer.
There’s a hole in my program, a sec-ur-ity hole.

 

 

RSS feed | Trackback URI

View Comments »

Name (required)
E-mail (required - never shown publicly)
URI
Subscribe to comments via email
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

Trackback responses to this post

blog comments powered by Disqus

 

Did you like this post? If so then why not join the Kkomp.com - Beyond community and get a free pdf report?

Use the mini-form below to enter a name + email address to receive your pdf report download location, as well as extra mailings:-

 

 

          

 

 

Please subscribe to my RSS feed. Click here.

- Confused about RSS? This short video should put your mind at rest: -
.flv (flash) format. (Real Player) - 9.185MB ~ OR ~ .wmv format.(Windows Media Player) - 11.330MB

 

Advertisment:

button

 

Advertisment:

Fire Your Computer Technician!

A computer technician spills the beans and makes available the knowledge he has charged clients hundreds in service fees for.

Computer Secrets Unleashed


CLICK HERE

 

The Lenovo ThinkPad T500

Thank you for visiting kkomp.com - Beyond. - Hardware + software + practical electronics + more. - Please drop by again.

 

 

 

* You loaded this webpage on 3-9-2010 9:15am UTC

* Your IP address is 38.107.191.99

 

Free PHP scripts from PHPJunkyard.com Free PHP scripts

 

 

Spam prevention powered by Akismet