Microsoft to hunt 'new species' of bugs

Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products.

The critical flaw in the way Windows Meta File (WMF) images are handled, is different to any security vulnerability the software maker has dealt with in the past, according to Kevin Kean and Debby Fry Wilson, directors in Microsoft's Security Response Center. Typical flaws are unforeseen gaps in programs that hackers can take advantage of and run code. By contrast, the WMF problem lies in a software feature being used in an unintended way.

In response to the new threat, the software company is pledging to take a look at its programs, old and new, to avoid similar side effects.

Fry Wilson said: "Now that we are aware that this attack vector is a possibility, customers can be certain that we will be scrubbing the code to look for any other points of vulnerability based on this kind of attack."

Microsoft has been working for years to improve its security posture, beginning with its Trustworthy Computing Initiative, launched in early 2002. The WMF problem is not a good advertisement for Microsoft's security efforts, one analyst said, as the legacy issue seemingly went undetected.

Gartner analyst Neil MacDonald said: "This should have been caught and eliminated years ago. They overlooked image format files and that is where this WMF issue came in."

When WMF files were designed in the late 1980s, a feature was included that allowed the image files to contain computer code that could be executed on a PC, said Mikko Hypponen, chief research officer at Finnish security company F-Secure.

Hypponen said: "This was not a bug; this was something that was needed at the time. It is just bad design, design from another era." The graphics file format was introduced with Windows 3.0 in early 1990. Executable code in the image file could help abort the processing of large images on the slow systems of yesteryear, security experts said.

Ilfak Guilfanov, a European software developer who made headlines by beating Microsoft to the punch with a fix for the Windows flaw, agreed. He said: "WMF was designed a long time ago, when information security was not considered an essential part of software design."

Microsoft's fix for the flaw was the quickest turnaround ever for a Microsoft patch, released only 10 days after the vulnerability was made public, Fry Wilson said.

While Microsoft was able to repair the problem in record time, the company was surprised by the type of vulnerability.

Kean said: "It is not a common buffer overflow. The software has a behaviour that people can take advantage of. Obviously we did not intend it to be used in that way."

At least a million computers were compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. The WMF issue is also expected to be a conduit for many future threats, experts have said.

Microsoft has learned from the flaw and will put the lessons into practice, Fry Wilson said. The software maker will update its Security Development Life Cycle, a set of practices that Microsoft's developers follow to prevent security vulnerabilities in products. The process includes the software maker's threat-modelling system, which checks code for potential security problems.

She said: "This kind of threat has not been anticipated before. We will be revising that information in the SDL process and redoing the threat-modelling system to make sure we are looking for this kind of attack or anything similar to it."

But Gartner's MacDonald said Microsoft should have already been hunting for this type of design problem: "I would have expected the SDL to already include data file formats. It should be a basic part of any security life cycle."

As part of its development process, Microsoft looks for a number of common mistakes developers can make. These mistakes can turn into security problems and allow attackers to hijack a PC. Some of the common problems the company looks for are buffer overflow, integer overflow and stack overflow, Kean said.

The SDL is updated every six months. Microsoft now has a team that looks at issues as they come up, which it did not have a couple of years ago. By keeping its security processes current, the software maker aims to avoid the need to reassign substantial developer resources to an all-out security review, a company representative said.

Ferreting through its code and adapting its development practices is the right thing for Microsoft to do, several security experts said. Johannes Ullrich, the chief research officer at the SANS Institute, said: "Microsoft has to become more proactive in finding and fixing these holes."

Mike Murray, director of vulnerability and exposure research at nCircle, a vulnerability management company in San Francisco, agreed. "That's the only step they can really take," he said. "Because this is a new thing, it is going to be something that a lot of bug hunters, both the good guys and the bad guys, will look for."

Microsoft doesn't expect to find many issues similar to the WMF problem, Kean said. "I don't expect this to be common but it is something that we are going to look for," he said.

Guilfanov disputes that the WMF issue is something completely new but agrees the problem is likely to be an isolated one. "Nothing is really new under the sun," he said. "It is a design flaw. There shouldn't be many but a code review can't hurt."

The hunt for other flaws in the new species of bug is on. For example, security provider F-Secure is looking to see if Windows Mobile software is vulnerable to the WMF flaw. Hypponen said he isn't sure whether Microsoft will find many design flaws like it: "I hope they don't but I'm not holding my breath."

Joris Evers writes for CNET News.com