Microsoft (NSDQ: MSFT) learned of openness in IE 7 on "Patch Tuesday," Dec. 9, and had a fix published for download eight days later. Now, Microsoft's Michael Howard, from the security engineering team, takes an appealing look at the lessons learned.
Building, testing, and releasing a patch, especially a patch that affects Internet Explorer that runs on all supported versions of Windows -- in about a week -- meant there was a group of some software engineers operating a string a very long days to get the patch out.
The unanswered question is how do flaws of this magnitude get into the final product? Howard describes the nature of the flaw, in technical details that are beyond the scope of this blog. Essentially, the flaw (which would allow attackers to remotely infiltrate at-risk systems by having users do no more than surf to the wrong URL), was an invalid pointer dereference in the MSHTML.DLL library used for data binding. Attackers would be able to exploit the way code is handled when a certain type of binding object was released, and a time-of-check-time-of-use (TOCTOU) programming error would result.
Howard also explained that during the code analysis and review process, the company's normal fuzz testing (using software tools to find software bugs) wouldn't necessarily have worked because there will be no fuzzer test case created for this specific code.
Howard also notes: "When the exploit code runs, it's running at low integrity because IE runs at low integrity, and this means the exploit code cannot write to higher integrity portions of the operating system, which is just about everywhere!"
The Microsoft has grown to be more collaborative with the IT industry and information security community, and the Microsoft that is more transparent about its mistakes.
For More information Visit : ASP.Net Development | Open source dot net