dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
748

Candle
Like a candle in the wind
Premium Member
join:2007-08-13
Fosston, MN

Candle

Premium Member

[WIN7] Redmond is patching Windows 8 but NOT Windows 7, say security bods

Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems.

Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities.

The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks.

Researcher Moti Joseph (@gamepe) - formerly of Websense - speculated Microsoft had not applied fixes to Win 7 to save money.

"Why is it that Microsoft inserted a safe function into Windows 8 [but not] Windows 7? The answer is money - Microsoft does not want to waste development time on older operating systems ... and they want people to move to higher operating systems," Joseph said in a presentation at the Troopers14 conference.

Microsoft has been contacted for comment.

Together with malware analyst Marion Marschalek (@pinkflawd), the duo developed a capable diffing (comparison) tool dubbed DiffRay which would compare Windows 8 with 7, and log any safe functions absent in the older platform.

It was "scary simple", Marschalek said, and faster than finding vulnerabilities by hand.

DiffRay GUI and flow chart
Security bods could then probe and pluck those functions to identify vulnerabilities and exploits.

In a demonstration of DiffRay, the researchers found four missing safe functions in Windows 7 that were present in 8.

"If we get one zero-day from this project, it's worth it," Joseph said.

Future work will extend DiffRay's capabilities to find potential vulnerabilities in Windows 8.1, add intelligence to trace input values for functions and incorporate more intelligent signatures used to find potential holes. Duplicates and abundant false positives in the current version would also be ironed out.

The presentation slides were available online. (Here in pdf.) ®

»www.theregister.co.uk/20 ··· ers_say/
moes
Premium Member
join:2009-11-15
Cedar City, UT

2 recommendations

moes

Premium Member

Yeah it's MS, they see that 8 is failing, and how to get people off 7, stop supporting them. like the did with xp (I know beating a dead horse with that one). but in reality, I can not move to 8. my motherboard is not a happy camper with 8. once they learn that not all of us can afford current gen tech. then yeah.
dave
Premium Member
join:2000-05-04
not in ohio

2 edits

3 recommendations

dave to Candle

Premium Member

to Candle
The Reg article seems confused. Firstly, a header file is not a library. Secondly, adding a new function to a library does not fix any security hole - by definition it was not used before it existed, and does not become used simply by existing. Thirdly, the header file is surely part of the SDK, not the OS.

The real meat seems to be that certain security-sensitive DLLs have not been fixed to avoid integer overflow problems. That is a valid concern, but the issue of updating intsafe.h is tangential at best. (Or to put it another way, adding a safe function doesn't change anything).

The speculation as to motive is just that, but given the puerile nature of the slides, you might expect it.

P.S.

I just took a look on the net. intsafe.h functions claim to be inlined (there is no library); the Rtl variants (non-inlined), which appear to be the ones involved in the actual code changes, are declared in ntintsafe.h, part of the Windows driver kit.

That would appear to be only an error in presenting the results, though - they actually started from the library, and the mention of intsafe.h is just noise.

Candle
Like a candle in the wind
Premium Member
join:2007-08-13
Fosston, MN

Candle

Premium Member

Thanks Dave for the info.

Astyanax
Premium Member
join:2002-11-14
Melbourne, FL
·AT&T FTTP

1 recommendation

Astyanax to dave

Premium Member

to dave
said by dave:

The Reg article seems confused. Firstly, a header file is not a library. Secondly, adding a new function to a library does not fix any security hole - by definition it was not used before it existed, and does not become used simply by existing. Thirdly, the header file is surely part of the SDK, not the OS.

The real meat seems to be that certain security-sensitive DLLs have not been fixed to avoid integer overflow problems. That is a valid concern, but the issue of updating intsafe.h is tangential at best. (Or to put it another way, adding a safe function doesn't change anything).

The speculation as to motive is just that, but given the puerile nature of the slides, you might expect it.

P.S.

I just took a look on the net. intsafe.h functions claim to be inlined (there is no library); the Rtl variants (non-inlined), which appear to be the ones involved in the actual code changes, are declared in ntintsafe.h, part of the Windows driver kit.

That would appear to be only an error in presenting the results, though - they actually started from the library, and the mention of intsafe.h is just noise.

So, in English, the claim that Microsoft is updating Win 8 and not 7 is BS?

Candle
Like a candle in the wind
Premium Member
join:2007-08-13
Fosston, MN

Candle

Premium Member

I have not had an update to windows 7 in at least two weeks or more so not sure what to tell you?

Wily_One
Premium Member
join:2002-11-24
San Jose, CA

3 recommendations

Wily_One

Premium Member

said by Candle:

I have not had an update to windows 7 in at least two weeks or more so not sure what to tell you?

Maybe because patches only come out once a month?

(Patch Tuesday, unless a critical exploit requires a special release. Next one will be this Tuesday, 6/10.)

Astyanax
Premium Member
join:2002-11-14
Melbourne, FL
·AT&T FTTP

Astyanax to Candle

Premium Member

to Candle
said by Candle:

I have not had an update to windows 7 in at least two weeks or more so not sure what to tell you?

Microsoft does updates on the second Tuesday of every month (called Patch Tuesday). I run Win 7 and have been updated every month. I asked what I asked knowing that not every update on Patch Tuesday may be security-related.
dave
Premium Member
join:2000-05-04
not in ohio

dave to Astyanax

Premium Member

to Astyanax
said by Astyanax:

So, in English, the claim that Microsoft is updating Win 8 and not 7 is BS?

Well, it's apparently true, but not necessarily meaningful.

Ignore the noise about intsafe.h and concentrate on the DLLs they discuss. The first example is quartz.dll, whatever that is. They show a virtual memory allocation which in W7 is liable to an undetected integer overflow in computing the allocation size. Some input value is getting multiplied by 4 (*) to determine the allocation size.

What this is, if you can feed it an input value of more than a billion, multiplying by 4 gets it a small number due to overflow, so it allocates a little memory while thinking it allocated a lot. This leads the way to heap corruption.

But what I don't know is whether that function is network-facing, i.e., can you get in a position to be asking it to allocate a billion whatevers? Failing to deal with integer overflow is not any kind of bug if integer overflow is not possible under any input the function will ever get. It could be a case of "it rather depended on being on the other side of that airtight hatch" -- i.e., in order to make this function do something bad, the attacker has to be in a position to run code on your system.

One may suppose Microsoft decided that it was a risk because they 'fixed' it in Windows 8, but we don't really know why it changed. Perhaps it was a blanket policy "always use the safe functions and then we don't need to even think about individual cases". Perhaps Windows 8 uses compilation switches that force this automatically. Perhaps a newer version of the compiler forces it automatically. It doesn't have to be some human changing the source code.

Anyone who was an actual 'researcher' ought to have looked into these matters (and perhaps they did, but there wasn't room in the presentation after the pictures of insects -- bugs, geddit? ho ho ho, that's a new one -- and bruce willis/schneier jokes).

(*) I think it was 'multiply by 4' but for some reason I cannot now get to the pdf to check. Still, this doesn't really affect the argument.
dave

1 recommendation

dave to Candle

Premium Member

to Candle
Having said all that, the purpose of the presentation was to show off their automatic method for determining code sites to attack. The overall methodology seems sound enough: for a given DLL (like quartz.dll for example), compare its lists of imports in both Windows 7 and Windows 8. Look for 'safe' functions which were not previously used in Win7. Hypothesize that they may now be used to fix a security vulnerability. Find the sites in the code which use that safe function, and examine further to see if there is in fact a vulnerability.

It's the OMG-Redmond-is-deliberately-cheating-us approach that I find unsubstantiated. Well, that and an aversion to using the term 'researcher' for anyone with a decompiler.