back to article Microsoft confirms code execution bug in Windows

Microsoft has confirmed reports that several versions of Windows are vulnerable to exploits that allow remote attackers to take full control of users' computers using booby-trapped emails and websites. In an advisory issued Tuesday, Microsoft said it was investigating “new public reports” of vulnerability in the XP, Server 2003 …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Gates Halo

    Sir

    Bears?

    Pope?

  2. adnim

    Basic sanity checking

    “The vulnerability is exploited by setting the number of color indexes in the color table to a negative number,”

    Lets face it, colour indexes in a colour table are never negative values so what is the point in performing a check to see if such values are negative.

    I was under the impression that some of the worlds best coders are employed by MS. Perhaps they let some 1st year student on a placement code the GRE.

    Scroogle "Windows Graphics Rendering Engine". The search results speak volumes about MS' commitment to secure coding.

    1. Greg J Preece

      Or better yet

      Use an unsigned short!

    2. Anonymous Coward
      Stop

      RE: Basic sanity checking

      "I was under the impression that some of the worlds best coders are employed by MS."

      The evidence repeately points to the fact that this is NOT the case...

      1. Tom 7

        The best coders are employed by MS

        but MS doesn't know what to do with them - just stop them working for the competition.

        They've got the best team in the world sitting on the bench - I doubt any of them would even consider going near Windows code though...

    3. doperative

      check to see if such values are negative

      > Lets face it, colour indexes in a colour table are never negative values so what is the point in performing a check to see if such values are negative.

      They don't check for negative values, that is the vulnerability !

    4. Eeep !

      M$ development doesn't walk the talk

      Agree !

      Initially when they published books on coding I read them all because who better to learn from than the authors of a operating system and applications. There are some very valuable lessons in those books and they have definitely benefited embedded projects I've mopped up - non-M$ related ones especially.

      Pity that the authors (I assume ghosting) aren't the really actual implementors and that the actual implementors don't read them.

  3. Dan Paul
    Gates Horns

    What about programs that use the Windows Graphic Rendering engine?

    There must be several hundred programs, that either use or make thumbnails of various pictures, that run on Windows. This will not be fixed soon as MS has too much to lose by breaking this function in existing 3rd party software, let alone cutesy thumbnails on picture folders in Windows or within them.

    Seeing as how those 3rd party programs are probably deeply hooked into the graphic rendering engine, one would assume that the programs themselves probably have similar vulnerabilities to the operating system or won't work properly once this issue has been fixed.

    How many people ever update the crapware that came with their camera, scanner, all in one printer etc etc?

    More importantly, how many manufacturers look for vulnerabilities in the crapware they foist off on their customers (when all they wanted to do was install the frigging printer/scanner driver?)

    Answer: likely to be less than 0.001%

    Doesn't ADOBE , Picasa, Similar OEM crapware from Kodak, HP, Canon, Lexmark, Epson, make thumbnails? Hey, how about your networked copier/scanner? Let's not even talk about graphics in PC games.

    We can assume that graphic files is one area where there is some compatability between disparate operating systems. JPEG's are pretty universal so the "Cult of Jobs" may even be vulnerable as well as some of our 'Nix friends.

    Okay, now run home and delete your porn collections and set your email to plain ASCII text (again).

    1. Tom 13

      No need to break functionality.

      Just need to check the values of the color indexes on the icons. If it's negative, trash it.

      Even badly coded third party apps ought to be producing positive values for color indexes, which is why hackers found it for specially crafted images and icons. If the third party apps had created them, something would have broke and it would have gotten fixed.

      Now, the rest of your rant about third party crapware is spot on.

      Not so sure about the Cult of Jobs and *nix, particularly as Jobs has decided to work with a *nix core for his OS. You might find an overflow function, but there are also fewer exploits after you've got the overflow. And I expect that if such overflow conditions occur, the *nix crew will have a patch issued long before MS.

  4. johngeorge

    windows

    i learned about the failures of every single window product 3 yrs. ago and bought a mac. windows is cheap, easy to spy on, slow as hell, and loves viruses! windows is junk! buy a mac and buy a real computer. just try to mess with my mack. just try to spy or break in my mac. it can't be done and my mac will go anywhere you windows junk will safer, faster and with no stupid problems. a mac and roadrunner is all you will ever need! john george columbus ohio

    1. Paul 129
      Troll

      Microsoft has been in the OS business for nearly 30 years

      And they (cannot/will not*) provide a useable command line interface. Get the HINT. They'll only fix something if their embarrassed into it, and only then if it doesn't go against any of their private agendas.

      The sad thing is that people are still tricked, cajoled and forced into buying this bug ridden peice of shit...

      *A MS ELUA I read this morning contained the lovely line

      "You may not: work around any technical limitations in the binary versions of the software;"

      WTF!!!!

      1. Anonymous Coward
        Anonymous Coward

        @Paul 129

        cmd.exe

        powershell.exe

        The latter is even being ported to linux. Or you can install Services for UNIX and have a UNIX shell on Windows box, or a Windows command shell (cmd.exe) which has UNIX commands.

        Everything that you do at the GUI is doable via the command line, powershell is even object orientated.

        1. Anonymous Coward
          FAIL

          Sigh ...

          "Everything that you do at the GUI is doable via the command line, powershell is even object orientated."

          Yeah. Shame its 38 years late.

          BASH has been doing this for decades.

          1. Anonymous Coward
            Anonymous Coward

            @Craiggy

            In NT you have always been able to do everything at the command line you could in the GUI.

            1. Anonymous Coward
              Anonymous Coward

              You miss the point ...

              Yes, I am aware NT (and previous versions of Windows) have always had a "command shell" (if thats what you could call it). However, we're talking about PowerShell, which is a pale imitation of the power of either a UNIX or Linux shell.

              My point was, Windows has only just now gained anything even remotely pretending to be a 'nix-like command shell and it falls abysmally short in comparison to true command shells that are now four decades old and still easily outperform it.

              Windows and DOS have NEVER had anything NEAR the power of a true command-line environment. Playing catchup this late in the game is pointless.

        2. Homard
          FAIL

          cmd and powershell ??

          Wow ! I'm shaking in my boots at the command line prowess at your disposal. NOT.

          Try proper *nix command shells, and all the command line tools you have. You'll soon find the m$ environment sadly lacking.

          One last one to try in m$ : get a command shell to fork/exec - easy as piss in *nix, and YES you do need to do it sometimes.

          Back to the original article : web facing code that doesn't do basic bounds checking or use a sane variable type such as unsigned int ? Not very impressive at all. All I will say is I expected better, and the code checking tools they use can't be much good. Speaks volumes about the rest of the code.

          The only icon is FAIL.

        3. Paul 129
          FAIL

          @AC ROFL!!

          Create a junction to a directory above. Enjoy the madness...

          The issue is that the MS commands are SERIOUSLY INCONSISTENT. "COPY" handles Shadow copy namespaces, "XCOPY" fails. So you need to script something to iterate through the directory structure, sigh...

          And at any time they'll just dump and break what they have had in the past.

          Powershell may give me the solution, to the issue above. But MS redoes everything, and inconsistently. eg dos, wsh, powershell, alternate data streams, VSS

          They just don't care, and they'll suck you into the next fad. I moved to linux years ago, and what do I use it for? The offline repair of Windows Machines. Virus removal, cleaning out registry issues, redeploying onto different hardware when the motherboard dies. Why? Cause linux is faster, more stable, and you can reuse the code, rather than being forced by MS to reinvert to keep up with the current fad, that still in the end

          DOES NOT BLOODY WORK!

    2. Lars Silver badge
      Linux

      @johngeorge

      Good for you, my choice has been Linux.

    3. Anonymous Coward
      Thumb Up

      RE: windows

      You're quite correct. Windows is garbage (as are most MS products!)

      You don't need to get a Mac though, any other OS is better than Windows...

      1. Anonymous Coward
        Troll

        You are wrong

        Microsoft Flight Simulator is great!

    4. Doug Glass

      Yes, ...

      ... that your mommie pays for.

    5. The Fuzzy Wotnot
      WTF?

      Oh shut up troll! Freaking "Fanbois" get up my nose!

      I'd like to stand up and say you do not speak for a large majority of sensible Mac users.

      As a devoted Mac user I think Windows and Linux are damn good operating systems. They have their place, people get a great deal of use out of them and they get their stuff done. Now why have you got to crap all over them?

      Like the Mac has no problems! Bollocks! It has plenty of dopey problems that sometimes get on my nerves, but I still prefer it. I only have a Mac as I spend all day administrating Linux and Solaris Oracle DB servers, I know IT pain so I want to go home, switch-off and just enjoy using a home computer.

      After a hard day fighting with SunOracle I want the Fisher-Price experience that OSX gives me, it's a sort of sad IT regression/fetish thing I suppose!

    6. MinionZero
      Joke

      @johngeorge

      I like it when you said "buy a mac and buy a real computer" ... why do you want us to buy two computers. ;)

    7. jcipale
      Linux

      or better yet

      I recommend a good anti-virus tool. Ubuntu/Fedora Core/Suse/Debian come to mind.

  5. Anonymous Coward
    FAIL

    Repeat with me now...

    The starting point for being secure is to reduce as much as possible your attack surface. The less entry points you expose, the better.

    Moving the graphics driver to kernel space was done in W2000 in the name of performance. But was a very very bad security decision. It increased the attack surface by orders of magnitude. Same for that monstrosity of executing natively compiled code from your browser. Hello, ActiveX.

    Windows has been, and will be, plagued with the consequences of those two decisions. If there is a ranking of bad software design decisions, those two should be at the top. There's not an easy way out of these, and Windows is likely to suffer forever from them, in the name of the sacred backwards compatibility.

    One only hopes that those mistakes are not repeated elsewhere. Yes, Linux, I'm looking at you.

    1. Ken Hagan Gold badge

      A pernicious urban myth

      "Moving the graphics driver to kernel space was done in W2000 in the name of performance. But was a very very bad security decision. It increased the attack surface by orders of magnitude."

      It was NT4, but let's not quibble. The *real* error in this statement is that it increased the attack surface. The graphics system had previously been running in the Win32 client-server service. This *is* user-mode code, but was running as SYSTEM and the session manager would shut-down the entire system if anything went wrong with that process.

      So ... if you could provoke a crash in the NT3.x graphics system, it would take the entire system with it. (This will seem bizarre to Linux fanbois, but the rationale was, and probably still is, that Windows systems had no culture of even "command line only" operation, let alone "headless". If you lost the GUI, the system was unusable, so it might as well shut down as cleanly as it can and reboot.) That's no different from NT4. Equally, if you could execute code in that process, you could easily get into the kernel and own the system. Again, that's no different.

      1. Anonymous Coward
        Anonymous Coward

        I'm afraid but you're wrong

        "The *real* error in this statement is that it increased the attack surface. The graphics system had previously been running in the Win32 client-server service. This *is* user-mode code, but was running as SYSTEM and the session manager would shut-down the entire system if anything went wrong with that process"

        No, the statement remains true. And your assertion is also true. Running as SYSTEM means that the graphics code had root level privileges and thus the attack surface was equivalent. However, it is possible to evolve that to something more isolated in the future if you keep the graphics code running in its own user space. The key point here is that the day they decided to move the graphics code to the kernel, they closed any possible enhancements towards a more clean and segregated architecture. So it still stands true that it was a bad design decision.

        We have to be also considerate with the people that made that decision. At the time, the internet had just been invented and no one anticipated a world of exposed systems like the one we have today. It made sense at the time, and likely gave them a performance edge over the competition, as well as opening Windows NT class OSs to high end gaming and other areas where graphics performance was key. So at the time it was not a bad decision.

        "So ... if you could provoke a crash in the NT3.x graphics system, it would take the entire system with it"

        Mmmmm... that was not my experience. You could crash the graphics system and the rest of services were still running. That is, if you crashed the GUI of a file server, the box would continue serving files just fine.

        True, for a system that had no concept of "command line only" usage, the only fix to get the GUI back is a reboot, but that does not mean that crashing the GUI crashed the whole system. As stated above, the system could have evolved to a cleaner separation of duties between GUI and kernel, like Unix has. But that cannot happen if the graphics code is in the kernel.

  6. Anonymous Coward
    Alert

    Windows Graphics Rendering Engine

    How many times has a bug in the Graphics Rendering Engine allowed attackers to root the entire system? Why is this still possible!!?

    I'm not a computer scientist, so correct me if I am wrong, but shouldn't the Graphics Rendering Engine run with ordinary user privileges?

    “The vulnerability is exploited by setting the number of color indexes in the color table to a negative number,”

    Do Microsoft not sanitise input? WTF?

    "exploits can bypass security measures such as data execution prevention and safe exception handling"

    So what is the point in these security measures that don't work?

    1. Anonymous Coward
      Flame

      @AC / Shouldn't MS work Properly ?

      You are absolutely right. The IT industry is full of people who can go great lengths to explain why they will not clean up the mess they have created. It usually boils down to "too expensive; we need to implement new features urgently and don't care about that old stuff".

      The core problem is that there is not even a consensus about the core skillset of a "computer scientist". Anybody who knows something about bit-fiddling can call himself a "computer scientist", provided that a somewhat accepted university awarded that title. There is absolutely no such thing as a Core Curriculum. As a plumber you must be able to solder, but as a "computer scientist" you don't need to know compiler theory, relational databases, operating systems, cryptographics or the like. It is fully sufficient to have done some automated number-summing in business statistics, for example and to have a uni award you the title "computer scientist".

      Most "software engineers" are in this business because it is known to make good $$, as much as many girls are in the business of relaxing men.

    2. Ken Hagan Gold badge

      Re: WTF?

      "but shouldn't the Graphics Rendering Engine run with ordinary user privileges?"

      It needs to talk to your display adapter, so not quite "ordinary user privileges". It could certainly run with fewer than it currently has, but not all the hardware that Windows has ever run on make it efficient to give per-process access to hardware resources. It might just be a case of over-engineering.

      "Do Microsoft not sanitise input? WTF?"

      Here, I think you've hit the nail on the head. If you aren't going to "over-engineer" the layers of security, then you certainly need to be paranoid about checking any data that you didn't generate yourself. All currently supported versions of Windows were produced under Microsoft's "secure development lifecycle" and checking raw input when you cross a security boundary (like an app calling into the kernel) is about as basic as secure development gets. Embarrassing, that.

  7. Anonymous Coward
    FAIL

    No, no, no!

    You got it all wrong! It was Mac OSX that was supposed to have security problems this year that's all the analysts and security vendors have told me. God, where's that good Mac malware when we need it most ?

  8. Change can be good
    Alien

    I'm glad I'm using Ubuntu

    Use Linux (Ubuntu)

    Its free, safe and secure.

  9. Anonymous Coward
    Anonymous Coward

    What a mess

    Considering this is a new bug, and some have said graphics related, on a whim I wondered how many gdi exploits have crept back in?

    (note: wtf! - You have to look real hard to even find the gdiscan.exe tool from SANS now)

    Once you find the tool . . . A scan on my own box....

    pagan daybook 3 - Version: 5.1.3097.0

    ConceptDraw 7 - Version: 5.1.3079.3

    Daniusoft Video Converter - Version: 5.1.3097.0

    iSkysoft Flv Converter - Version: 5.1.3097.0

    Maize Studio - Version: 5.1.3097.0

    Pinnacle VIdeo Spin - Version: 5.1.3097.0

    Power C DVD Recovery - Version: 5.1.3101.0

    TVU Player - Version: 6.0.3260.0

    MS VS 10 0 - Version: 3.0.3784.0 <-- Possibly vulnerable (Under OfficeXP only)

    For joy, I just love wasting my time, and repeating the past. If this crap has slipped back into my main box, its time for me to audit every machine again.

    Good thing I have cloned backups and all my passwords are on USB password managers now. Right? Right?

    God damn it, I would rather get some work done instead of this constant ******** with exploits. Yeah yeah it's a matter of backing up, copying a new file "gdiplus.dll", testing the app, deleting the backup or raring it up to a passworded file, and there's only what nine on this box. However I wonder if the scanner even runs on win 7. I guess I will be finding out real quick here. I hate patch tuesday, it's like rolling the dice every time, will these updates bring production to a halt?

    Too bad that ERUNT tool doesn't do .dll's.

    What a cruel world, maybe We should just unplug for 5- 10 years and see how screwed up our governments, economy, the internet are going to get. Remember, if I unplug, stop hosting, stop domain names, stop ISP bills, I would have to say about 3000 other people would suffer from it. Could I even discipline myself to walk away from technology? Another question altogether.

    I'm sorry, my mind is so ****** right now from all this crap in the world, I can't seem to stay focused on one thing for more than 5 minutes.

    For those who are wigging on what I just noticed with the gdiscan the original filename was

    gdiscan.exe and I see one here: http://www.csis.on.ca/setup/-Older%20Files/

    And I see the md5sum is still here: http://www.governmentsecurity.org/forum/index.php?showtopic=11593

    God I hope 2011 starts getting better it's already ****** up.

    1. Big-nosed Pengie
      Linux

      God damn it, I would rather get some work done instead of this constant ******** with exploits.

      There's a simple, free solution. :-)

  10. efeffess

    Bad Software == Good Money

    Microsoft for a fact hires quality programming talent. However, companies understand that more bugs and more vulnerabilities equates to more press, more name-dropping and, therefore, more market value, and exploit this accordingly.

    Users in general rarely understand computing technologies, and prefer to rely on what's popular; Microsoft is still (though not as much as in the past) considered a trustworthy and reliable source. Rather than a company relying on techs to make the OS purchasing choice, management blames the bugs on techs; the users generally either accept such problems as a natural state of affairs, or blame their own technical inexperience.

    Then we're sold the line that programmers can't avoid bugs, which lends itself to an excuse for them to introduce buggy code and sell programs as quickly as possible to make money as quickly as possible. Instead of blaming Microsoft, which is legitimately in business to make money, look instead at the docile user base of computing in general.

    (In Grade 9 CS, we were taught to always check values to ensure they were within expected ranges. Coders know how to range check values with a compare statement.)

    1. Chemist
      Linux

      "Microsoft for a fact hires quality programming talent"

      and has lots of development budget no doubt.

      So how come a loose bunch of (initially) part-timers have managed to put together a better OS ?

      1. Anonymous Coward
        Joke

        @Chemist: Don't you dare to promote Anti-American, Anti-Capitalist EvilWare

        Don't you know, Richard Stallman is a French Agent with the mission to destroy America, Fredoom in General and also Fatty Burgers !

      2. efeffess

        Microsoft: money versus quality

        Microsoft could have produced a bug-free operating system at any time since its inception. Easily. However, Microsoft is and always has clearly been more about generating cash flow and increasing market value over any other priority.

        History has not only marked Gates as a highly successful businessman, but also as an adept, intelligent programmer. For his purposes, though, the former succeeds the latter.

        1. Chemist

          "an adept, intelligent programmer"

          First BASIC I ever had was a 6502 (UK101) with a whopping great bug in the garbage collector. That's how good he was.

  11. Danny 4
    Linux

    Install Linux. Do it now.

    Sigh. How many times have we gone over this... If you keep giving Microsoft your money it only encourages them to keep writing software. Install Linux and have done with it.

    1. This post has been deleted by its author

  12. Anonymous Coward
    Flame

    Ah, my daily fix

    Almost every day El Reg reports a new vulnerability in Windows. It's time we all ditched the bloated, buggy, security hole that MS have foisted on us for so long.

  13. The Dodoman
    Grenade

    Go Get an Abacus...

    Show me an OS which has never had critical fixes... The fact is that exploitable bugs are there no matter which OS you use...

    1. Anonymous Coward
      Coat

      OpenBSD coud be a good candidate

      but sadly nobody is ever interested in a secure OS

    2. prathlev
      Linux

      @The Dodoman

      It's the *lack* of critical fixes that people complain about. Every sane OS (which excludes OS/400) needs fixes to critical bugs. We get updates to our CentOS servers often, and the Fedora workstations get them like every day.

      The problem is when there's a bug and the fix is NOT supplied. And then the exploiting starts...

  14. Riccardo Spagni
    Jobs Halo

    Meh.

    I switched to OS X recently when I got the new Air (the built to order 13", mind you, I need a bit more oomph under the hood) and am thus far exceedingly happy. Still, I find that I am constantly running a bunch of applications (for work) in Parallels, which means I now have to fork out the money for Magical Steve's next-big-OS-X-release, plus my Win 7 license, plus antivirus for Win 7. I guess escaping MS is impossible. For those intrigued (and I invite suggestions for tools that I can use to replace these, bearing in mind that the backend in the office will remain Windows/MS SQL/SAP based as I am the only Mac user here), this is what I'm forced to run in a VM:

    - SAP Business One

    - Remote Desktop (and PLEASE don't tell me to use VNC or the RD client that comes with Office for Mac, as they both fail pretty hard)

    - Visual Studio 2005 (for developing SQL Reporting Services reports)

    - Visual Studio 2010 (internal applications, many of which interact with SAP using the B1 SDK)

    - SQL Server Management Studio (backend is all SQL 2005)

    I was initially going to go XP in the VM because it's slimmer, but now I'm glad I decided to go the whole fat hog and run Win 7 - not least of all because I avoid exposure to this vulnerability.

    1. Hans 1
      FAIL

      Yur business uses SAP?

      see title!

  15. doperative

    the company that made thumbnails dangerous

    Even if there were a vuln in thumbnails, this shouldn't propagate into a system wide vulnerability. Microsoft the company that made thumbnails dangerous

    "the first known report of the bug in the way those operating systems process thumbnail images came on December 15"

    “The vulnerability is exploited by setting the number of color indexes in the color table to a negative number,”

  16. Steven Davison

    Because...

    "Sigh. How many times have we gone over this... If you keep giving Microsoft your money it only encourages them to keep writing software. Install Linux and have done with it."

    Because :-

    Not everything I run has been ported to Linux

    I don't want to faff with Wine/and or other emulation systems...

    "Free" does not always equal "better"

    just a few responses.... not all of them either...

    MS do need to sort out their coding, if issues like this remain unpatched!

  17. wilgeman
    Linux

    @AC 13:12 Cygwin FTW!

    I will +1 your UNIX services and would rather install Cygwin to make Windows at least palatable to administer remotely and actually have a FUNCTIONAL command line!

    But you could always install Linux or BSD and rid your hard drive of redmund bloatware!

  18. TkH11

    Code reviews

    Don't they do code reviews at Microsoft?

    Don't they test adequitely?

    I mean, just because a piece of code should never process negative numbers doesn't mean to say you shouldn't throw negative numbers at that code and see what it does.

    Isn't that how you find bugs? !!!

    1. Anonymous Coward
      Flame

      @TkH11: They are Way Too Busy

      ..to get the Ribbon GUI working. And rearranging buttons of XP and sell it as "Vista". They also had never time to do that when Windows 2000 was sold, because then the big challenge was to Round Off The Edges Of the Windows for the "XP" release.

      Technologically, not that much has changed in the core since WNT 3.1; they made mostly cosmetic changes to sell a new version, in order to generate $$.

      Indeed they could afford to write as much test code as production code, but that would delay all the projects which are meant to generate $$ in a few months. Wall Street would not like that and we all know The Truth Comes From Money. Money Is Our God. Money Knows Best. Hail To Money !

This topic is closed for new posts.

Other stories you might like