Latest MS Vuln eerily similar to one from two years previous

The recently discovered critical Windows vulnerability that necessitated an out-of-cycle patch is extremely similar to one that first appeared two years ago. The MS08-067 vulnerability, which was originally spotted by analyzing in-the-wild captures, is remarkably similar to the MS06-040 vulnerability that enabled the spread of a variant of the Mocbot trojan, leading security researchers to believe that it will be used to renovate an old worm. Both vulnerabilities existed in the same region of code, which handled parsing and routing of RPC messages. While some may ask why MS08-067 wasn’t spotted when the code was so heavily vetted when MS06-040 was discovered, I can assure you that finding vulnerabilities, even when they are staring you in the face and they are vanilla stack overflows, is far more difficult than it may sound.

Good software architecture assumes that the vulnerabilities may exist and, designing with “defense in depth” in mind, creates obstacles that slow down exploitation of a vulnerability so as to allow the administration time to apply a patch. For example, designers can randomize the memory layout of the application so remote exploits would have to make vast numbers of attempts at exploiting the application before they are successful. To mitigate the effects of fast network connections, the application should be designed to shut down if it detects something odd happening before the remote attacker hits upon the specific memory layout. This design principle was used in Windows Vista, limiting the platform’s vulnerability to the latest attack.

Someone in Microsoft’s Security and QA group is most likely torturing themselves for not finding this vulnerability back in 2006. They should take some comfort that their latest architectures are tolerant of this mistake. After all, they are only human.

[Source: zdnet]