Microsoft’s failure to spot the animated cursor bug in Windows Vista has come under fire by security researchers because a similar bug surfaced and was patched in early 2005 and the recent bug was also reported in December 2006.

.ANI flaw in Microsoft’s Windows was first found by the researchers at eEye Digital Security back in 2004 and reported it to Microsoft, said Andre Protas, a director at eEye, in an interview. Microsoft released a patch for it on 11 January 2005.

Researchers at Determina also alerted Microsoft about the current vulnerability in December but the company still hadn’t pulled together a patch for it before the exploits came out more than three months later. Toward the end of March when the exploits hit, Microsoft said it had nearly 100 technicians working around the clock for several days to get an emergency patch ready, which was shipped April 3.

“If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005,” said Craig Schmugar, a threat researcher with McAfee. “It would have saved a whole lot of people a lot of time, money, and effort.”

Microsoft, however, says the .ANI vulnerability found this year is different from the one found years ago. The company added on saying that while the two vulnerabilities are both related to cursor and icon format handling, each vulnerability is unique.

But researchers believed that the two vulnerabilities are the same.

“In fact, that piece of code was almost 100% identical to the code fixed in the MS05-002 patch,” Alexander Sotirov, a vulnerability researcher for Determina Security Research said. “However, the Microsoft patch did not fix this second instance of the vulnerability and Windows was still vulnerable to the attack.”

Researchers explained that both vulnerabilities deal with the same animated cursor handling. They’re both buffer overflow problems and in the same .ANI header parsing, specifically sitting in the user32.dll binary file. One was just a few coding steps away from the other.

The piece of flawed code that causes the trouble sits on one header in the first instance and on a second header in the other instance.

“It’s the same flawed code, just on one header as opposed to the other,” said Protas. “There really isn’t that much difference in these vulnerabilities. If a hacker knew the second vulnerability existed, he could have easily turned out an exploit for it.”

In response, Microsoft says those differences are enough to make these similar but entirely different vulnerabilities.

Earlier this week, the director of the Microsoft Security Response Center, Mark Miller, acknowledged that the failure to spot the new ANI bug when developers reviewed the vulnerable code in 2005 was a breakdown. “We’re doing an analysis of why we didn’t find it then,” Miller said.

Related:

Entry was posted on Saturday, April 7th, 2007 at 2:54 am under Security, Technology.

Read more entries by Ruben Francia.
Stumble It!