A former Microsoft worker has identified security vulnerabilities in smart card plug-in software for Windows Vista that might allow hackers to take over vulnerable PCs. Dan Griffin used a fuzzing tool he developed, dubbed SCardFuzz, to find bugs in software from an unnamed smart card vendor. Griffin, who left Redmond's smart …
Is it me....
or does this sound a little sinister?
Man works in Team A working on product X.
Man leaves Team A and set's up company to find problems with product X?
Could he have actually designed in a flaw into Team A's Product X to make himself rich and famous?
Yeah, that would be a bit cheeky.
But here's another scenario - a pen tester by the name of raven worked for years as an ISP engineer. She got sick of the general lack of security and the kicks to the head she got when the risks she was warning management about crystallised into issues and impacted the operation.
So, she went into pen testing, where she did an excellent job of revealing the poor levels of security observed by ISPs.
Not saying that's happened here - I happen to believe MS to be much more security conscious than many vendors. A LOT more. There are probably a lot more shades of grey here...
Surely this is a vendor issue?
Ok, I'm no MS apologist but:
"SCardFuzz creates a heap-based buffer overflow in the unnamed vendor’s plug-in for Microsoft Vista"
So, nothing really to do with Vista, just a crap vendor writing crap drivers?
I have absolutely NO knowledge of the situation but perhaps he got tired of warning admins that a vulnerability existed and they kept replying "Just get it out the door" so he gets frustrated and leaves?
Or having worked with the design team he just knew what kind of problem would inevitably occur... ?
Has anybody looked at the quality of his coding?
Would be interesting to find out.
Causing a process to crash
If he has physical access to the machine, and has developed something that allows him to cause a process to crash, wouldn't it be a lot easier and quicker if he just took a hammer to the inside of the thing? That'd surely make it crash. Or even just unplug the power chord.
Yes it's you....
Man works in Team A working on Product X
Man find problem in Product X , reports it, it is not fixed ..
Man leaves to join Company B working on amongst other things Product X (which is why they hired him), points out that the bug still exists and could cause problems
Man announces to the world he will demo the bug to the world (thus allowing Team A to actually have time to fix it...)
Sounds like closed source development to me ....when you don't tell anyone there is a problem don't let anyone leave unless they tell someone....
yes chris, but a hammer will not allow you to take control of the machine, you need a special hammer for that.
processes often crash when they start executing data, its difficult to seperate data and code in a von-neumann architecture. the trick is to supply the data it crashes into, and make it execute your code.
oh- and i love the idea of computers powered by power-chord, gets all those musicians doing something useful.
I'd agree, but for the unfortunate issue of WHQL-certification, which I'll bet it has.
(WHQL - A "quality" certification from MS which appears to mean: "This is a beta release driver of limited functionality - but it won't crash your OS on installation unless you try really hard".)
RE: Surely this is a vendor issue
Oops that makes sense...
Mmmm... No! Microsoft is responsible! I don't know how but I refuse to think it might not be... If I accept your view then I might have to change my view of the universe...
My cat is fat. I blame Bill.
here be title
Reminds me of a Dilbert strip where PHB says that engineers get $100 bonus for every bug they find in the product - so they go away and create some bugs to be found later...
@ Mike Dolan
I agree with you, the problem seems to be with the vendor who plugs into Vista. However Vista should probably do a better job of validating the data that it's receiving from the smart card. Buffer overflows, once again.
Idle thought, is it possible to prevent buffer overflows by changing the design of the hardware, say something on the cpu rather than in software?
Paris because she might know more about CPU design than me.
@prevent buffer overflows by changing the design of the hardware
in the 70s IBMs 'future development' department created a system that couldn't be compromised by memory overflows and had designs that are still futuristic such as hardware abstraction (it doesnt care if it's running on a Unix box or a PS2), 128bit addressing back in the days when 8bit was futuristic, single-level storage (it was designed for the day when flash drives are as quick as RAM) and hardware object protection so you can't have a buffer overflow.
Unfortunately it was so cheap to run that IBM feared it'd destroy the lucrative mainframe market so they never marketed it until the 80s.
It's still going strong, and is still invulnerable to the buffer overflows and all the other attacks Win/Nix admins have to plan for. Which is why most household name companies use it as their main system.
Care to share what this unnamed ahead-of-its-time used by a multitude of unnamed infamous companies is?
@ Phil Rigby
"is it possible to prevent buffer overflows by changing the design of the hardware, say something on the cpu rather than in software?"
Yes, and it was done a good 50 years ago. The Burroughs (now Unisys) "Large Systems" have a stack-oriented, tagged-memory, architecture with descriptor-based memory references. The memory tags allow the hardware to distinguish code and data, code being read-only. The descriptors result in array references being boundary-checked by the hardware.
Rather like wearing a belt and suspenders ("braces" to UKoids): not only can you not overwrite code, you can't even run off the end of an array and overwrite other data.
I believe there have been other hardware designs with similar feature sets, thinking of Honeywell, GE, Philco, and Bendix. Don't have personal knowledge of those so I'll leave them to the cyber-historians.
However, on reflection, it isn't clear to me how resistant such an architecture would be to a determined attempt at subversion. A mainframe presents a totally different environment from a personal computer where the owner is also the sysop.
"I happen to believe MS to be much more security conscious than many vendors"
I agree. MS is very aware of the lack of security in their products.
They just don't care, as long as their lack of security doesn't affect sales.
@ Morely Dotes
yes: its all about the benjamins at the end of the day (i.e. profit is the main driver for vendors), no surprise there - bill likes green.
but trust me, in 5 years time Mac will have the poor security rep MS has now, because MS put more time and money into security than they do.
Twist you noodle on this:
A man works for Company A; enough about the man, Company A makes software most of the world uses. Company A management and brain trust thought that the internet was a flash in the pan. Little did Company A realize that the "flash in the pan" would turn into the largest attack vector for their software products. The brain trust of Company A is bombarded by wave after wave of exploits that he has to declare "security is extremely important" to staff and clients alike. To address this new important focus Company A buys Company B and C to protect their products. Now company A sells software to protect their software which they should have done a better job securing in the first place. As for the man, if he wants to start/work for Company D after leaving Company A selling security services for Company A's insecure software; good on him! Company A will buy Company D anyway so they can use Company D's software to find holes they shouldn't have created in the first place.
Only in US are software companies like Company A exempt from the RICO Act. Its a travesty that they are allowed to sell "Protection" for committing lousy software development. Maybe someone can lobby the Gov't to add incompetent on a grand scale to RICO.
I chose Paris because she knows more about "Protection" than Company A although she doesn't get paid for it ;-)
Who is this mysterious "Mac" you speak of? Perhaps you mean Apple?
MS don't have a bad security reputation because they are popular... It's because for years they simply didn't give a toss. Apple is unlikely to start caring less about security.
Yeah sorry - Apple thats who I meant (confused? me? ahem).
My point is MS have put a decent amount of investment into security recently, but its hard to change perceptions overnight. It must be galling for them to watch other vendors such as Apple (no offence, like) apply minimal attention to security, while MS are still percieved as being insecure.
A good point for FUD pushers: once you have a crappy reputation, it can be hard to shake.
RE: "Care to share what this unnamed ahead-of-its-time used by a multitude of unnamed infamous companies is?"
AS/400 with OS/400.