back to article Ex-MS staffer to demo Vista smart card hack

A former Microsoft worker has identified security vulnerabilities in smart card plug-in software for Windows Vista that might allow hackers to take over vulnerable PCs. Dan Griffin used a fuzzing tool he developed, dubbed SCardFuzz, to find bugs in software from an unnamed smart card vendor. Griffin, who left Redmond's smart …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    Is it me....

    or does this sound a little sinister?

    Man works in Team A working on product X.

    Man leaves Team A and set's up company to find problems with product X?

    Could he have actually designed in a flaw into Team A's Product X to make himself rich and famous?

  2. toby

    @Stu

    Yeah, that would be a bit cheeky.

    But here's another scenario - a pen tester by the name of raven worked for years as an ISP engineer. She got sick of the general lack of security and the kicks to the head she got when the risks she was warning management about crystallised into issues and impacted the operation.

    So, she went into pen testing, where she did an excellent job of revealing the poor levels of security observed by ISPs.

    Not saying that's happened here - I happen to believe MS to be much more security conscious than many vendors. A LOT more. There are probably a lot more shades of grey here...

  3. Mike Dolan
    Stop

    Surely this is a vendor issue?

    Ok, I'm no MS apologist but:

    "SCardFuzz creates a heap-based buffer overflow in the unnamed vendor’s plug-in for Microsoft Vista"

    So, nothing really to do with Vista, just a crap vendor writing crap drivers?

    Cheers,

    Mike

  4. ImaGnuber

    Mmmaybe...

    I have absolutely NO knowledge of the situation but perhaps he got tired of warning admins that a vulnerability existed and they kept replying "Just get it out the door" so he gets frustrated and leaves?

    Or having worked with the design team he just knew what kind of problem would inevitably occur... ?

    Has anybody looked at the quality of his coding?

    Would be interesting to find out.

  5. Chris
    Thumb Down

    Causing a process to crash

    If he has physical access to the machine, and has developed something that allows him to cause a process to crash, wouldn't it be a lot easier and quicker if he just took a hammer to the inside of the thing? That'd surely make it crash. Or even just unplug the power chord.

  6. Jaster
    Gates Horns

    Yes it's you....

    Man works in Team A working on Product X

    Man find problem in Product X , reports it, it is not fixed ..

    Man leaves to join Company B working on amongst other things Product X (which is why they hired him), points out that the bug still exists and could cause problems

    Man announces to the world he will demo the bug to the world (thus allowing Team A to actually have time to fix it...)

    Sounds like closed source development to me ....when you don't tell anyone there is a problem don't let anyone leave unless they tell someone....

  7. Anonymous Coward
    Anonymous Coward

    silly chris

    yes chris, but a hammer will not allow you to take control of the machine, you need a special hammer for that.

    processes often crash when they start executing data, its difficult to seperate data and code in a von-neumann architecture. the trick is to supply the data it crashes into, and make it execute your code.

    oh- and i love the idea of computers powered by power-chord, gets all those musicians doing something useful.

  8. TeeCee Gold badge
    Gates Horns

    @Mike

    I'd agree, but for the unfortunate issue of WHQL-certification, which I'll bet it has.

    (WHQL - A "quality" certification from MS which appears to mean: "This is a beta release driver of limited functionality - but it won't crash your OS on installation unless you try really hard".)

  9. ImaGnuber

    RE: Surely this is a vendor issue

    Oops that makes sense...

    Mmmm... No! Microsoft is responsible! I don't know how but I refuse to think it might not be... If I accept your view then I might have to change my view of the universe...

    My cat is fat. I blame Bill.

  10. Alan Gregson
    Paris Hilton

    here be title

    Reminds me of a Dilbert strip where PHB says that engineers get $100 bonus for every bug they find in the product - so they go away and create some bugs to be found later...

  11. Phil Rigby
    Paris Hilton

    @ Mike Dolan

    I agree with you, the problem seems to be with the vendor who plugs into Vista. However Vista should probably do a better job of validating the data that it's receiving from the smart card. Buffer overflows, once again.

    Idle thought, is it possible to prevent buffer overflows by changing the design of the hardware, say something on the cpu rather than in software?

    Paris because she might know more about CPU design than me.

  12. Billy Goat Gruff

    @prevent buffer overflows by changing the design of the hardware

    in the 70s IBMs 'future development' department created a system that couldn't be compromised by memory overflows and had designs that are still futuristic such as hardware abstraction (it doesnt care if it's running on a Unix box or a PS2), 128bit addressing back in the days when 8bit was futuristic, single-level storage (it was designed for the day when flash drives are as quick as RAM) and hardware object protection so you can't have a buffer overflow.

    Unfortunately it was so cheap to run that IBM feared it'd destroy the lucrative mainframe market so they never marketed it until the 80s.

    It's still going strong, and is still invulnerable to the buffer overflows and all the other attacks Win/Nix admins have to plan for. Which is why most household name companies use it as their main system.

  13. Fatty Treats

    @Billy Goat

    Care to share what this unnamed ahead-of-its-time used by a multitude of unnamed infamous companies is?

  14. RW
    Boffin

    @ Phil Rigby

    "is it possible to prevent buffer overflows by changing the design of the hardware, say something on the cpu rather than in software?"

    Yes, and it was done a good 50 years ago. The Burroughs (now Unisys) "Large Systems" have a stack-oriented, tagged-memory, architecture with descriptor-based memory references. The memory tags allow the hardware to distinguish code and data, code being read-only. The descriptors result in array references being boundary-checked by the hardware.

    Rather like wearing a belt and suspenders ("braces" to UKoids): not only can you not overwrite code, you can't even run off the end of an array and overwrite other data.

    I believe there have been other hardware designs with similar feature sets, thinking of Honeywell, GE, Philco, and Bendix. Don't have personal knowledge of those so I'll leave them to the cyber-historians.

    However, on reflection, it isn't clear to me how resistant such an architecture would be to a determined attempt at subversion. A mainframe presents a totally different environment from a personal computer where the owner is also the sysop.

  15. Morely Dotes

    @ toby

    "I happen to believe MS to be much more security conscious than many vendors"

    I agree. MS is very aware of the lack of security in their products.

    They just don't care, as long as their lack of security doesn't affect sales.

  16. toby

    @ Morely Dotes

    yes: its all about the benjamins at the end of the day (i.e. profit is the main driver for vendors), no surprise there - bill likes green.

    but trust me, in 5 years time Mac will have the poor security rep MS has now, because MS put more time and money into security than they do.

  17. joe
    Paris Hilton

    @Stu

    Twist you noodle on this:

    A man works for Company A; enough about the man, Company A makes software most of the world uses. Company A management and brain trust thought that the internet was a flash in the pan. Little did Company A realize that the "flash in the pan" would turn into the largest attack vector for their software products. The brain trust of Company A is bombarded by wave after wave of exploits that he has to declare "security is extremely important" to staff and clients alike. To address this new important focus Company A buys Company B and C to protect their products. Now company A sells software to protect their software which they should have done a better job securing in the first place. As for the man, if he wants to start/work for Company D after leaving Company A selling security services for Company A's insecure software; good on him! Company A will buy Company D anyway so they can use Company D's software to find holes they shouldn't have created in the first place.

    Only in US are software companies like Company A exempt from the RICO Act. Its a travesty that they are allowed to sell "Protection" for committing lousy software development. Maybe someone can lobby the Gov't to add incompetent on a grand scale to RICO.

    I chose Paris because she knows more about "Protection" than Company A although she doesn't get paid for it ;-)

  18. Tim Bates
    Stop

    @toby

    Who is this mysterious "Mac" you speak of? Perhaps you mean Apple?

    MS don't have a bad security reputation because they are popular... It's because for years they simply didn't give a toss. Apple is unlikely to start caring less about security.

  19. toby

    @Tim Bates

    Yeah sorry - Apple thats who I meant (confused? me? ahem).

    My point is MS have put a decent amount of investment into security recently, but its hard to change perceptions overnight. It must be galling for them to watch other vendors such as Apple (no offence, like) apply minimal attention to security, while MS are still percieved as being insecure.

    A good point for FUD pushers: once you have a crappy reputation, it can be hard to shake.

  20. Neil
    Boffin

    @Fatty Treats

    RE: "Care to share what this unnamed ahead-of-its-time used by a multitude of unnamed infamous companies is?"

    AS/400 with OS/400.

This topic is closed for new posts.