Friday, January 13, 2006

MS06-001 vs MS05-053

As part of my work on LiveShield, I get to analyze a lot of vulnerabilities, both new and old. The purpose is not only to make sure that our product protects against them, but also to get more experience with the kinds of code and bugs that we are likely to see again in the future. Most vulnerabilities follow identifiable patterns, and recognizing those is very valuable when you have to analyze a 0-day that is actively exploited in the wild.

In the best case scenario, the new vulnerability will be in a piece of code that you are already familiar with. When the first WMF vulnerability was announced in November of last year, Jim and I spent a significant amount of time analyzing the vulnerable code. In the end, we had a pretty good understanding of the WMF file format, the functions responsible for processing those files, and their general weaknesses. When the WMF 0-day hit on December 27-th, it took me less than 15 minutes to trace through the code and figure out what was going on. I was disappointed that I had missed this vulnerability back in November, even though I had been looking at the same function in GDI32.DLL. My only excuse is that I was looking for bugs in the code, not for features that shouldn't have been there in first place.

Our response time on this bug would have been much longer if we had to start analyzing the WMF parser from scratch on the 27-th. I hope that as we gain more experience, we will be able to react this quickly to a wide range of vulnerabilities.


Post a Comment

<< back