Stray Ampersand Led to IE, Flash Flaw: Microsoft

An accidental ampersand left key Microsoft code vulnerable to attack, while also putting at risk other vendors’ software, like Adobe’s Flash.

That’s according to a blog post by Michael Howard, Microsoft Security Development Lifecycle (SDL) team principal security program manager. Microsoft (NASDAQ: MSFT) fixed the problem on Tuesday, but declined to explain in detail the cause of the problem at the time.

As it turns out, one too many ampersands in a line of code in the Microsoft Active Template Library (ATL) was enough to create the vulnerability, according to Howard.

Instead of:

hr = pStream->Read((void*)pbArray, (ULONG)cbSize,

The code had been instead written as:

hr = pStream->Read((void*)&pbArray, (ULONG)cbSize,

“The extra ‘&’ character in the vulnerable code causes the code to write potentially untrusted data, of size cbSize, to the address of the pointer to the array, pbArray, rather than write the data into the array, and the pointer is on the stack. This is a stack-based buffer overrun vulnerability,” Howard wrote.

The ampersand is a special character and its multifunction role made it difficult to the find the error through automated code checking, he added.

“Our static analysis tools don’t flag this one … I looked over a few dozen instances of casting code like this in various code bases and they were all correct, so adding a rule to flag this kind of code would be prone to false positives and I would not want to subject anyone to a potentially massive amount of noise,” Howard said.

Howard’s blog post attracted a number of comments blasting Microsoft for its coding. One offered a basic piece of advice, writing, “you personally obviously know safe C++ coding practices. Why not implement them so that the compiler can catch them instead of requiring testing?”

Howard also appeared to be worried that there may be other, similar errors hidden in Microsoft’s code base.

“I want to drill a little deeper into casting issues,” he said. “This will be a side project for me over the next few months, as I wade through bug databases and code to see if there are other related issues.”

Adobe affected

Meanwhile, vendors who have written software impacted by the flaw are moving to respond.

Adobe (NASDAQ: ADBE) realized that the Microsoft ATL vulnerability made its Flash and Shockwave players for the IE browser potentially vulnerable. The Shockwave vulnerability has since been patched, while Adobe released the patch for Flash today, available here.

“Note that only Internet Explorer plug-ins are vulnerable. Thus, people using Flash Player within the Firefox browser — as well as all other Windows-based browsers (that aren’t Internet Explorer) — are not
vulnerable,” Wendy Poland, Adobe’s security response program manager, wrote in a blog post on Tuesday. “Additionally, Flash Player and Shockwave Player on Macintosh, Linux and Solaris operating systems are not vulnerable.”

News Around the Web