Follow-up on IE Security Breach

by Taylor Flatt on December 22nd, 2008 at 1:47 pm EDT - 196 views

Microsoft has finally started giving insight of this bug that has actually been present for 9 years.  Microsoft said that the error was one that was never tested for.  Although they know of such bugs, they haven’t been training their staff to handle such issues which has essentially caused this major panic.  

To find the bug and to test for ones like this, which are called TOCTOU bugs (Memory errors), they had to use “fuzzers”.  These fuzzers would test out the software by dumping information into various parts and try to trigger a bug.  Since they didn’t have a fuzzer for TOCTOU errors, there was no way to find it.  The bug was not only present in recent browsers, but was traced all the way back to IE 5 (1999).  Micheal Howard, principal security manager at Microsoft had this to say about the bug,

“In theory, fuzz testing could find this bug, but today there is no fuzz test case for this code,” he said. “Triggering the bug would require a fuzzing tool that builds data streams with multiple data binding constructs with the same identifier. Random (or dumb) fuzzing payloads of this data type would probably not trigger the bug, however.”

Basically what he is saying here is that they had no idea an error existed and that there was really no way to test for it until people began to exploit it.

Although Microsoft was able to provide countermeasures to the folks using Vista, they could not, however, provide such countermeasures to those using Windows XP (which is out used 3:1 compared to Vista).  This was a tragic flaw that in the future, we hope they will be able to spot such bugs and not allow those within the program.  The bug could have been worse, but me being a Chrome/Firefox user, am thankful that I stopped using IE a long time ago.

What did you do when you hear this news?

Source: ComputerWorld