« Dan Kaminsky speaking at DEFCON 13 available in iTunes
US-CERT - Microsoft IP Source Route Vulnerability (VU#722753) »

US-CERT - Microsoft Hyperlink Object Library stack buffer overflow (VU#394444)

If this weren’t funny, it would be sad: http://www.kb.cert.org/vuls/id/394444

I give Microsoft a lot of credit.

They have millions if not billions of lines of code they maintain. Errors are bound to creep up. Bugs are going to be discovered.

But for the love of God and all that is holy, a buffer overflow!

In 2006, there is absolutely no excuse for a buffer overflow in production code. Beyond basic software engineering skills training, there are automated tools to check for overflows.

If you are serious about security, as Microsoft claims to be, you would institute a few changes (5 years ago, when they first started talking about security would have been a good time…).

  • Develop coding best-practices checklists that identify possible trouble statements (scanf) and ways to avoid them
  • Institute software inspection regimen to precede any introduction of code into the source tree
  • Adopt policies that reward developers who have the fewest bugs, and provides incentives developers who have work to do in this area
  • Employ automated tools to assist in the search for overflows and other common code-level vulnerabilities
  • Employ automated tools that search for run-time vulnerabilities
  • Develop significant test case libraries and harnesses for both of the above

Can this be done and still bow to your shareholders who want timely deliveries of products?
I assert that YES it can!

Without getting into it too deeply, the end game is that you end up removing your time from post-launch bug fixing and redeployment earlier in the software lifecycle.

Removing bugs before they are introduced is factors of time smaller than after the code is in production.

By getting smart, you can actually deploy products, bug-free, on time or even ahead of schedule.

I point readers to a few key resources:

  • “Rapid Development” and “Code Complete” by Steve McConnell - actually, read all of his books :) - Excellent books on software engineering methodology in today’s business climate.
  • “Software Release Methodology” by Michael Bays - details on the full lifecycle as relates to deploying software.
  • PSP and TSP (Personal and Team Software Process) books by Watts Humphrey. Become a great coder.

There are also some great texts on software testing, and I urge you to read as many as you can.

Don’t trust code. Verify.

Bill

This entry was posted on Monday, June 26th, 2006 at 7:59 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply