Submitted by “Hey Folks – this is Mike Reavey. We’re all glad that MS07-017 – the Security Bulletin that fixes the vulnerability in Animated Cursor Handling – has been released, helping to block attacks on that vulnerability. While we released it within 5 days of being notified of attacks, we have received questions from customers about why it took us 3 months to develop and release the fix for this vulnerability. I wanted to provide some insight into the history of this vulnerability, and while doing so, hopefully provide insight into the overall security update lifecycle, including testing, which consumes the greatest amount of time.”
I took 2 months to find all bugs? They say they have hundereds of folks to test patches, how many people do look for bugs?
I have no problem with MS taking a little while to make sure a good quality patch is released but to take as long as they did only to rush it in the end is insane. not to mention al the problems it is causing
http://neowin.net/index.php?act=view&id=39249
I got the impression that the article was only posted on the blog site because people were commenting on how long it took to release and MS wanted to save face
There are so many people interested in cracking windows than other OS. In a way it is gud for MS as they get their job done by a larger community.
Rendering of an icon goes deep enough that becomes a part of the core of the OS??? Am I the only one that thinks that they should be ashamed of that design? Ugh!
Keep in mind that without actually knowing the design in more detail and understanding motivations behind it, its very difficult to be an accurate judge.
Look.. the day I see Operating Systems: Design & Implementation books used in a respectable university come with a chapter dedicated to icon rendering (???), we’ll talk about being an accurate judge. ๐
“Look.. the day I see Operating Systems: Design & Implementation books used in a respectable university come with a chapter dedicated to icon rendering (???)”
The day a university develops, releases, and maintains something as large and complex as Windows (or anything similar to the public domain), I’ll let academia be the judge as to why MS chose to do things the way they did.
Like most other things in Windows that kind of make you go “WTF” it’s gotta be related to backwards compatibility.
“The day a university develops, releases, and maintains something as large and complex as Windows (or anything similar to the public domain), I’ll let academia be the judge as to why MS chose to do things the way they did. ”
hmmm come to thnk of it there was that litle thing called….uh what was it again….. the _______ Software Distrobution…..oh wait!
http://en.wikipedia.org/wiki/BSD
๐
We’re rendering the cursor here, not icons. This cursor is always displayed and in some cases the graphics card is involved in drawing the cursor. It stands to reason that drawing the cursor should be one of the core functions of the graphics server. In Windows, the graphics server partly runs in kernel mode (in win32k.sys), so in that sense it’s in the core of the OS.
This does not mean that it’s anywhere near the scheduler, or IO manager, or anything else that you’d consider fundamental to the OS. The icon handling code and cursor management is in the core of the windowing system, and most applications on windows are graphical, so in a sense this is in the core of what applications use the most. And errors here are most noticeable to the user.
Where else would you propose to draw things like the cursor or to draw an icon but in the core of the GUI?
I would proposed to draw cursors and icons in userspace, preferably in a process running without login privileges.
From the explanation here, I can only speculate that the actual rendering is done by a library routine in user32.dll, but it relies on the kernel to get the position of the cursor on the viewport and to copy the rendered bitmap into a kernel buffer. Specify a malicious animated icon, and the kernel might do bad things.
Again, this is just speculation, but this seems like a simple issue of not properly validating data from userspace, exacerbated by some core graphics code running in the kernel.
As for the 80 issues they claim to have found while developing the fix, I further speculate that many of these are silly complaints (including false positives) from their automated static analysis tool, PREfix.
Well, yes, but animation itself and it’s vulneabilities scatered around two core files? I don’t think that’s okay.
Another thing is, that they were testing chanches in animated cursor for two monts, those two months when the vulneability was widely known to anybody interested. That vorries me much more.
I agree. This seems so stupid. To make graphics faster, windows moved tons of graphics code in kernel mode driver called win32k.sys as the name stands win32 in kernel:)
This is the stupid stuff that people in Microsoft keep doing. Instead of solving real design or performance issues, people put hacks around them.
Look for superfetch in vista, because they can’t make vista faster, they designed a patched solution called superfetch. Lame i must say…
Man, this fix is a PITA! Ever since the installation, both my DVD drives need to be disconnected for my system to boot properly. Talk about screwing up!
Don’t get me wrong, I’m happy(er) with MS’s bug fix release cycle, it’s certainly miles better than just a few years ago, but this is a major pain in the but.
Guess I should have taken my own advice and waited for SP1 ๐
This patch to the way cursors are animated, in the works for 3 months, which affects the very core of the operating system, has broken your ability to boot with DVD drives attached?
I’ll certainly remember that one next time someone tries to convince me about how modular Windows is!
Edited 2007-04-05 18:07
The patch introduces many problems both in Windows and in some applications. It really seems that MicroSoft rushed this one, considering cold reception that Vista suffers.