Microsoft blames Internet Explorer bug on inadequate training
A senior Microsoft security expert says the company failed to spot the recent Internet Explorer bug because staff weren’t trained to spot that particular type of problem. That’s cold comfort to those who’ve risked infection from 10,000 Web sites which could exploit the problem.
Microsoft had to release a second emergency patch in the space of two months after an estimated 2 million computers were infected by the problem. As well as putting users at risk, the problem led to widespread media calls for users to switch to rival browsers.
Michael Howard (pictured), a security program manager at the firm, says the bug was particularly unusual as it combined two characteristics. One was memory exploitation in which a program gains access to an unprotected section of the computer’s memory, effectively giving it control over other programs.
The second was a ‘time of check to time of use’ (TOCTOU) issue. That type of bug is a result of the fact that there’s a time gap (however brief) between getting permission to carry out a particular action on a protected part of a program or computer, and actually carrying out that action.
Carrying out an attack on a TOCTOU bug is a complicated process, but here’s a very crude analogy: imagine a schoolchild gets a teacher’s note (written in pencil on a permission form) allowing them to leave class to visit the school nurse.
Because the child doesn’t walk out of the classroom and straight into the nurse’s office, the walk down the hallway gives them enough time to erase the note and use the genuine permission form to forge a note giving them permission to go home.
According to Howard, a problem that combines the two issues is so complex to discover that it’s simply not practical to teach the relevant techniques:
Memory related TOCTOU bugs are hard to find through code review; we teach TOCTOU issues and we teach memory corruption issues and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues.
Howard concludes with a general point about computer security: a software firm is expected to ensure every part of a program is secure during the limited development time, while a hacker can put all of their efforts into attacking one vulnerability for as long as they like (or at least until the program is no longer in widespread use).
He argues “This isn’t an excuse; it’s a fact of life.” That’s true. However, it’s also a fact of life that, however unrealistically, people expect a multi-billion dollar firm to allocate enough resources to catch every problem before the hackers.
Related Posts:
