HomeMemo to Bill Gates, Steve Ballmer, or whoever is in charge nowadays:
Go into Microsoft Word and print up a whole bunch of signs that say "Check All Buffers." Then go around and staple these signs to the cubicle wall, the monitor, or the forehead of all your programmers.
Why? Because for the fifth time in 2001 (plus once in December 2000), Microsoft has had to issue a Security Bulletin dealing with a threat or a bug caused by an unchecked buffer.
The latest problem surfaced in the Indexing Server in Windows NT 4.0. This product does full-text searches of files -- not only looking for filenames, but for text within the files. If the search input is too long, it may crash the indexing service/server. If
the input is too long, plus it is constructed in a certain way, it may allow an attacker to run some code on the computer. According to Microsoft, this particular attack probably couldn't be pulled off from a network outsider connecting through the Internet; they would need an account on the network. (If network security is lax, it could be done from the outside.)
There is also a buffer problem in the Windows 2000 Indexing Service, where hackers could construct a query to the Indexing Service that would allow them to view files that would ordinarily be off limits. There are fixes for these two problems at http://www.microsoft.com/technet/security/bulletin/MS01-025.asp. Microsoft credits David Litchfield of @Stake and Mike Mulling for finding this problem.
While at the Microsoft Security Site, pick up the fixes for these other buffer checking/overrun problems:
A Common Problem
These are the recent problems. Going to the Microsoft Knowledge Base and searching for the phrase "unchecked buffer" turned up twenty-two hits, although some of the items are redundant. (One article may talk about an unchecked buffer, while another lists the Service Pack where it is fixed.) Searching for the phrase "buffer overflow" turned up 200 hits. There are actually far more, but the Microsoft Search Engine tops out at 200. Think there may be some sort of chronic problem here?
Now, I'm not a professional programmer, so I'm not sure how difficult it actually is. But I would certainly try to implement some sort of rule: Anytime you create a buffer, check it. What happens when it overflows? What happens when they send it bad data -- because the phrase "malformed request" shows up even more frequently in the security bulletins than "unchecked buffer"? Countless exploits have been devised around these things, so wouldn't it be easier to check it first?
Maybe Microsoft needs to hire a special group just to do this. Make them an elite squad, "The Buffer Checkers"; maybe they can even hire Sarah Michelle Geller as their spokesperson. You know, "Buffy the Buffer Slayer." Or maybe they just want to keep on issuing security bulletins every month about fixes for unchecked buffers. At least it keeps their name in the headlines.
| Bulletin | Problem |
| 01-023 | Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server |
| 01-018 | Visual Studio VB T-SQL Object Contains Unchecked Buffer |
| 01-013 | Windows 2000 Event Viewer Contains Unchecked Buffer |
| 01-012 | Outlook, Outlook Express VCard Handler Contains Unchecked Buffer |
| 01-002 | PowerPoint 2000 File Parser Contains Unchecked Buffer |
| 00-094 | Patch Available for "Phone Book Service Buffer Overflow" Vulnerability |
August 2nd, 2009