Microsoft releases new security software tool for developers
January 19, 2011
Microsoft says it has released a new software tool to help application developers write secure apps by highlighting operating system changes created or modified when their completed software is installed on Windows computers and servers.
Released yesterday, Microsoft's new Attack Surface Analyzer (ASA) is a free code verification tool that carefully analyzes all the changes in system state, runtime parameters and securable objects in the Windows OS.
The software tool, which was released as part of Microsoft's Secure Development Lifecycle, takes snapshots of a system and compares the results before and after an app is installed. It then identifies resulting classes of security weaknesses.
“ASA also gives an overview of the changes to the operating system Microsoft considers important to the security of the computing platform and underscores these in the attack surface report,” said David Ladd, Microsoft's principal security program manager.
Among some of the security checks performed are analysis of modified or newly added files, registry keys, services, ActiveX controls, listening ports and access control lists (ACLs).
It's available as a beta for now, in order that Microsoft can collect feedback and information from its users.
Attack Surface Analyzer was one of several security tools Microsoft released at this week's Black Hat Security Conference in Washington, DC. The software giant also published the next version of its SDL Threat Modeling Tool that is used to assess whether applications under development meet security and privacy guidelines.
It now works with Microsoft Visio 2010. Microsoft also released version 1.2 of the SDL Binscope Binary Analyzer, a verification tool that analyzes binaries on a project-wide level to insure they comply with SDL requirements.
MS's new offerings add to a growing list of free security apps the company makes available to software developers. ASA is free.
Other tools include version 2 of EMET, short for Enhanced Mitigation Experience Toolkit. It is used to add security measures such a Data Execution Prevention and Address Space Layout Randomization to older applications and operating systems, such as Internet Explorer 6 and Windows XP.
Other apps include the Microsoft Solutions Framework, The Exploitable Crash Analyzer, and the Microsoft MiniFuzz fuzzer tool.
Yesterday's additions come as security vulnerability tracking service Secunia reported that failure to apply third-party patches (as opposed to updates from Microsoft) is almost exclusively responsible for the growing exposure of Windows computers and servers to security threats.
In other news, Microsoft said in December that it had removed a security fix from its regular Patch Tuesday update for its Outlook 2007 email client that the software behemoth had issued just two days earlier, citing Internet connection and performance issues for this rather unusual decision. It's been since April 2010 that Microsoft did something similar.
The Outlook security update was issued on December 14 at 1.30 PM EST as part of its regular Patch Tuesday that happens once or twice a month, beginning by the second Tuesday of the month. Within just a few hours, computer users reported several issues with retrieving email and some major delays when switching folders inside Outlook.
"This latest security update results in Outlook 2007 being extremely slow in switching folders and the archiving functionality appears to have been removed," said someone identified as "alspart" on a Microsoft support forum. "Is this an error or is it by design?", asked the user.
Other PC users said they couldn't send or receive email, even including Gmail messages, through Outlook after installing the security patch.
Ironically, Microsoft had termed the update as one that contained "stability and performance improvements."
Microsoft support forum moderators were telling users to uninstall the update. Microsoft made that official late Friday in a post on the Outlook team's blog. "We have discovered several issues with the Outlook update and as of December 16, this update has been removed from Microsoft's official update."
According to Microsoft, the Tuesday patch contained no less than three critical issues related to Secure Password Authentication (SPA), a Microsoft protocol used to authenticate mail clients like Outlook to a mail server; sluggish folder switching when Outlook wasn't configured to get mail from a Microsoft Exchange Server; and a broken Auto Archive feature.
The software giant urged PC users who had installed the update during its three days of availability to remove it immediately, and spelled out the necessary steps to achieve the task.
"We really apologize to our many users for not discovering these issues before releasing the update and for any other inconvenience we have caused to you," the Outlook team wrote on its blog. "We failed to meet our customers' expectation for quality with this security update. We are working to repair these problems and will post a release date for those fixes, and provide a link to download them, as soon as that information is readily available."
It isn't the first time that Microsoft has removed updates before. In April, it pulled a patch for Windows 2000 (which at the time was still being supported) over what it called "quality issues."
Then in early 2008, Microsoft also removed an update designed to prepare Windows Vista for Service Pack 1 (SP1) after users flooded support forums with tales of endless and catostrophic reboots.
But the software company hasn't set a timetable yet for releasing a re-patch for its Outlook 2007 email client.
The security patch in April that was flawed also caused other issues at several high-profile websites, including Microsoft’s own Bing.com, Google, Wikipedia, Twitter and just about any site that lets IE 8 users create profiles.
Microsoft added the anti-XSS feature in IE 8 in August 2009 to detect Type-1 attacks that can lead to cookie theft, keystroke logging, website defacement and credentials theft.
But as the researchers discovered, Microsoft’s filters work by scanning outbound requests for strings that may be malicious in nature.
When such a malicious string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful to whomever initiated it.
The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.
Security analysts figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks.
You can link to the Internet Security web site as much as you like.