One of main persons behind Microsoft SDL, Michael Howard analyzes recent Symantec and IBM Vulnerabilities in his post on MSDN SDL blog.
Michael says:
The vulnerabilities are not in Symantec code, yet Symantec customers are still open to attack. The issues lie in a small number of file parsers used in many applications created by a third party vendor. As you probably know, file parsing vulnerabilities are very common, and even though the number of such bugs has dropped significantly in Microsoft products, in the past we had many. Thankfully, the SDL’s fuzzing requirements have significantly helped reduce the number of parsing-related vulnerabilities in our products.
And also:
… the same bugs affect IBM’s Lotus Notes 7.0.2 and some other products too.
In summary, Michael says:
Bugs are interesting, you can learn a lot from your own bugs, but also from the bugs in other products. From an SDL perspective, there is nothing new about any of these vulnerabilities. It also appears that the DLLs are not compiled or linked with any other defenses. If I had my way they would be SDL compliant, and have as many defenses as possible as the parser code is an inch away from the Internet, and is used in a mission critical defensive position. What’s interesting to me is how many other products out there consume these giblets? Because those products have security bugs too!
Based on this we can say that Microsoft’s SDL process is becoming very powerful and usable instrument and way to produce more secure software.
Loading ...
