 |
 |
|
May 09, 2005Doing the Right Thing: Microsoft Delayed XP SP2 Due to Integer OverflowsWhen XP SP2 was first delayed, there were a LOT of complaints about the fact MS couldn't keep their act together as it relates to their development cycle. It's easy to assume the worst and complain when you have no idea what is really going on. Last week at CanSecWest it was brought forth that Microsoft delayed the release of SP2 by 6 weeks when they found some significant issues with integer overflows. I wonder if that was why Michael Howard wrote an article on the very thing in April 2003. Or why he continues to talk about it to this day. Apparently Microsoft found integer overflows in a lot of different places in the code, and they quickly realized that they weren't looking for them the same way they looked for other things like buffer overflows. Microsoft decided that fixing the problems was more important than keeping the original product schedule, and thus let the shipping schedule slip another 6 weeks. Interesting quote from Window Snyder, the security strategist at Microsoft that was presenting this information: "We slipped 6 weeks just for this... but it was the right thing to do." Bravo. Damn straight it was the right thing to do. I was recently at Microsoft for a week doing interop testing with our kernelmode security drivers in their test lab in Building 20 when I came across a potential buffer overflow based on a static #define which was used incorrectly. This was from code over 3 years old now, and really should have been caught by now. Unfortunately static code analysis tools like prefast can't catch this sort of thing, and our human heuristic tests or automated code analysis tools were not designed to look for this type of problem. When I found this I stopped all further work until we rescanned all code for this type of error, and not the error itself. Doing so found one other instance where we did something similar. The result? A newly added code scan test to check for such things to prevent it from occuring again in the future. I was pleased to hear Microsoft taking the same attitude. It INDEED was the RIGHT THING TO DO. Good job. Posted by SilverStr at May 9, 2005 09:36 AM | TrackBack |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
December 2005
November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
