Security Security Security Security

  • Article

The opening keynote at STAR East this morning was James Whittaker (who I'm happy to say has joined Microsoft!) talking about security testing. James focused on three areas:

  • Input. One common source of security bugs is unhandled/mishandled input of, shall we say, a special nature. SQL injection for example: entering ' OR 1=1 -- as a user name. If this "user name" is stuffed directly into a SQL query such as
        SELECT * FROM USERS WHERE USERNAME='<username>' AND PASSWORD='<password>'
    , this attack turns that query into
        SELECT * FROM USERS WHERE USERNAME='' OR 1=1 -- AND PASSWORD='<password>'
    - which returns every last record, since "1=1" is always true and everything after the "--" is turned into a comment. Oops.
  • Environment. Muck with the environment and see what happens. For example, Microsoft Internet Explorer used to have a bug where it did not supply a path when it dynamically loaded its parental ratings DLL. So if you used a tool like Holodeck or Process Explorer to discover that IE loaded a DLL named MSRATINGS.DLL, and then you copied any random file side-by-side to iexplore.exe as MSRATINGS.DLL, IE would follow standard file-searching behavior and load your trojan DLL. The dynamic load would of course now fail and so IE would simply disable parental controls. You can bet thirteen-year-olds everywhere know about this hack! <g/>
  • Logic. Ponder how a feature might be implemented and then look for a way to break it. For example, anytime an ActiveX control tries to load, IE pops a message box asking whether you want to let it run. IE used to have a bug where if the load was executed from script and the load was attempted multiple times - in a loop, say - you would only be asked the first time. That's nice of IE, isn't it, to not repeat a question you've already answered? Just one problem: it acted as though you had said "Yes, please load it" even if you answered "No, don't load that nasty evil thing" ! All your base are belong to us, indeed.

Each of these exploits requires sophisticated security tools. Like Notepad. Which was James' point: security hacking is often not a sophisticated process. Which means there's no reason why we can't find the problems before we ship.

Of course, if you *like* seeing your company's name on the morning news you can skip security testing...