Enough with the buffer overruns already! 11/21 ReleVents hed: Microsoft’s latest security problem dek: Enough with the buffer overruns already! by James Mathewson
At one time we filled an entire column every month with Microsoft security bulletins. The column didn’t just list the bulletins, it also explained what they meant and how to best use their associated patches. The column ran for two years, and often there were more security bulletins on Microsoft’s site than we had space for in a two-page column. That was just for the security problems Microsoft admitted to; Microsoft just as often denied a security problem until proven otherwise.
As the editor of that column, I learned an awful lot about Microsoft security (an oxymoron), mostly on NT server, but also on IIS, Internet Explorer, and Outlook/Exchange. In one three-month period prior to the launch of Windows 2000, Microsoft averaged a bulletin a day on NT 4–a product that had been on the market for three years. After Windows 2000, some of the same security issues cropped back up. Apparently, Microsoft security experts had short memories.
The most common problem in those years, and in years hence, is the buffer overrun. In layman’s terms, a system is vulnerable to buffer overruns when the memory allocated for a given data transfer is not sufficient and data overflows its allotted cup, so to speak. In and of itself, other than data loss, an overrun is relatively benign. But hackers can use the overrun to write code to other parts of the system that should be protected. When malicious data (e.g., a virus) overflows its cup, there’s no telling how or where the data might damage the system.
I’m not exaggerating when I say that Microsoft server environments have had hundreds of buffer overrun problems since 1996. And yet, they still crop up. The most infamous was Code Red, which exploited IIS’s limited memory buffer to wreak havoc on Web sites. Code Red was probably the most damaging worm in history, disabling hundreds of sites and taking down Qwest’s DSL service for more than two weeks.
Given the damage a buffer overrun problem can do and the sheer quantity of these problems in Microsoft environments, one would think that Microsoft would quickly move to permanently put an end to buffer overrun problems. If it is trying to do so, it is failing, as a story on our site last week shows. This time, the problem is with Microsoft’s Media Player 6.4. If a hacker embeds malicious code in an Advanced Streaming Format file and it overruns the buffer, users can find any number of problems in their systems.
Besides the persistence of buffer overrun problems in Microsoft environments, this new problem should give us all pause for at least two reasons. First, we are talking about consumer products here. While Microsoft commonly blames administrators for not installing patches to their systems, can it rightly blame neophyte users if they don’t monitor the security sites and install patches on their home systems? Second, everyone knows Microsoft’s latest push is to use Windows XP as a means to make Media Player ubiquitous, just as it did with Windows 9x and Internet Explorer. If a lack of consumer choice is not enough to spur talks between Microsoft and the nine states fighting for stronger antitrust provisions in any settlement, forcing users to accept security problems should be.
James Mathewson is editor of ComputerUser magazine and ComputerUser.com.