, SecurityFocus 2007-07-25
In December 2005, technology consultant Inge Henriksen announced he had found a flaw in Microsoft's flagship Web server platform, Internet Information Server (IIS) 5.1. Yet, because the vulnerability appeared impossible to exploit, Microsoft put off patching the issue.
The programming problem represented a fairly common developer mistake, but one that is generally thought to cause instability, not insecurity. Known as a dangling, or wild, pointer, the flaw was caused by an IIS service process that attempted to use memory that was already freed by the program. At the time, exploiting the flaw only appeared to crash the program.
"In other words, this is not a buffer/stack overflow exploit and it will therefore not enable anyone to execute code on the Web server," Henriksen wrote on his blog at the time. "But then again, I'm not sure on this issue and someone might prove me wrong."
As it turns out, Henriksen and Microsoft were both wrong. More than a year and a half later, two researchers at security-audit firm Watchfire discovered a way to exploit the dangling point issue. What's more, the researchers -- Jonathan Afek and Adi Sharabani -- have found a method of exploiting a broad class of dangling pointers and plan to detail the process next week at the Black Hat Security Briefings in Las Vegas.
The discovery means that developers and security researchers need to start considering dangling pointers as security problems as serious as buffer overflows, said Danny Allan, director of security research for Watchfire.
"The dangling pointer was reported to Microsoft in 2005, and they never patched it -- that is indicative where dangling pointers are right now," Allan said. "It remained unpatched for two years because they didn't consider it a security problem, but a quality problem."
A dangling pointer is a software bug that occurs when a programmer creates an object in memory, uses the object, frees up the memory for reuse and then mistakenly tries to access the object again. The portion of memory previously allocated to the object may no longer have the expected data. Instead, the memory likely has meaningless data, or in the case of an exploitable dangling pointer, could have malicious code.
While other researchers have found exploitable dangling pointers, most developers believe that the flaw is a quality-control issue, not a security problem, Watchfire's Allan said.
"That is where most companies are today," he said. "They don't patch these things very quickly."
In the case of the IIS 5.1 flaw, it took Microsoft 21 months to patch the issue. While some security experts didn't rule out the possibility that the IIS flaw could be used to execute code, Microsoft apparently agreed with Henriksen's assessment and promptly put patching the flaw on the back burner, promising to fix the issue in Windows XP Service Pack 3, which at the time was a year away.
Microsoft's Security Response Center also had other problems. Less than two weeks later, zero-day details on a vulnerability in the handling of the Windows Meta File (WMF) format had leaked to the Internet, and the software giant had to scramble to develop a patch.
The software giant fixed the IIS flaw as part of its regularly schedule Patch Tuesday on July 10. The software giant would only comment on the patch, not the flaw itself.