Microsoft: Human error caused critical SMB2 vulnerability

Microsoft: Human error caused critical SMB2 vulnerability

Summary: Microsoft is blaming human error for the the critical SMB v2 vulnerability that exposed Windows users to remote code execution attacks


Microsoft is blaming human error for one of the critical SMB v2 vulnerabilities that exposed Windows users to remote code execution attacks and argues that it's near impossible to catch these types of bugs with existing code review tools and techniques.

According to a post-mortem of the issue by Redmond security guru Michael Howard (right), the company detected the vulnerable code "very late" in the Windows 7 development process but argued that there are no static analysis tools or SDL requirements that would spot this type of human error.

"Right now there is no static analysis tool I know of that would point out the developer used the wrong variable, and our analysis tools didn’t spot the potential array bounds problem in part because it’s hard to do so with generate a very large quantity of false positives," Howard said.

"There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing. In fact we did find it very late in the Windows 7 development process through network fuzzing and that is why post-RC versions of Windows 7 do not have this bug," he added.

Howard did not explain why the fix was not back-ported to Windows Vista and other vulnerable versions until it was independently discovered and released by external security researchers.

[ SEE: Microsoft security guru: Get fuzzing ]

He said the only other technique that could find this type of vulnerability -- an incorrect variable in an array reference -- is the process of "very slow and painstaking code review."

This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Humans are fallible, after all.

Howard said the types of vulnerabilities surfacing in Windows OS code today shows that the mandatory SDL has "whittled away most of the ‘low-hanging’ bugs."

Of course, I might be proven wrong, but looking at all the bugs over the last year in Windows, the only pattern I can spot is there is no pattern! The majority of the bugs I see in Windows are one-off bugs that can’t be found easily through static analysis or education, which leaves only manual code review, and for some bug classes, fuzz testing. But fuzz testing is hardly perfect, because the malformed data might not hit the vulnerable code path or trigger a failure in the code.

He called on software developers to spend more time on defenses against unknown vulnerabilities, as well as trying to prevent or remove vulnerabilities.

See: MS09-050, SMBv2 and the SDL, by Michael Howard.

Topics: Security, CXO, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • did not explain why the fix was not back-ported to Windows Vista and other

    That very bad. I was wondering this myself when
    news broke that Win 7 was not vulnerable.

    What were they thinking? Fixing a bug and
    "forgetting" that other versions may actually
    be vulnerable?

    Or had they actually recorded this bug
    internally but decided to "sit on it" until a
    more convenient time (s Vista SP?) because
    nobody knew about it.

    This is fishy and I would like to see some
    better explanation for this.
    • it's probably the dunderhead factor

      It seems Microsoft is just as sclerotic as many
      US corporations.

      Very likely the groups don't meaningfully talk
      to each other, being in 'competition'. Thus
      some smart fellows on the new project aren't
      listened to by those who maintain the old.

      Whether this would explain the 'smack forehead'
      feeling that MS design so often evokes, I don't
      know. You can meet that kind of design

      Try as I did the new Hulu Desktop.

      Try to put a movie in your queue...which is the
      most used function of it, besides searching and

      Oh, yes. There is no search...just various
      kinds of listings. That is probably a 'marketer
      culture' decision, actually - force the
      customer to be lost in a sea, and maybe s/he'll
      bite on something s/he ordinarily wouldn't.
      Like your grocery chain store.

      I am trying to connect this marketer idea back
      to MS...and it is sad, really, as surely there
      are some nice and thoughtful persons who work
      Narr vi
      • Erm ... you know Hulu isn't owned or operated by Microsoft, right?
        • sure

          Hulu Desktop is just another example of d-f.
          Narr vi
  • The bug may have been very public...

    but the actual likelihood of attack is pretty slim, unless your IT department is incompetent. On several clients of mine that have Small Business Server 08 (based on Windows Server 08, not 08 R2) had a very low probability of attack because an attacker would have to penetrate their edge defenses before they could actually do any damage, and the vulnerability doesn't affect edge security.
    • Foolish thinking

      What if the attacker is [i]inside[/i] the edge? The most destructive security penetrations occur from inside and while servers are more protected, many break-ins from the outside are proxied through security lapses on workstations.

      Defense in depth.
      Old Techie
  • RE: Microsoft: Human error caused critical SMB2 vulnerability

    Funny, i thought pretty much all security vulnerabilities were as a result of human error.
  • No really?

    Human error caused a vulnerability... what news...
  • RE: Microsoft: Human error caused critical SMB2 vulnerability

    Hi, I have Win 7 RTM and checked and don't have this vunerability.
  • RE: Microsoft: Human error caused critical SMB2 vulnerability

    All "programming errors" are Human Errors!
  • It could only possibly be human error...

    HAL: Let me put it this way, Mr. Amor. The 9000 series is the most reliable computer ever made. No 9000 computer has ever made a mistake or distorted information. We are all, by any practical definition of the words, foolproof and incapable of error.
  • Human error or no.........

    Microsoft will (as always) blame somebody else (besides Microsoft.
    Microsoft Blames Users for Vista Problems
    An article covering "Five Misunderstood Features in Windows Vista" claims that all Vista problems are only perceived by users and blames their judgment of the OS. You can get upset, or have a good laugh.,1000000121,39418108,00.htm
    Microsoft blames users for Vista infections,339028227,339274293,00.htm
    Microsoft blames users for OneCare fiasco
    Open source gets results, while Microsoft blames malware on 'stupid users'
    Posted by Ed Burnette @ 2:21 pm
    Never Blame Microsoft, Blame Users and Exploits
    Microsoft blames human error for WGA glitch
    Microsoft Corp. blamed human error for a problem that identified legitimate Windows users as pirates last week.
    Ole Man
    • How is "human error" blaming someone else?

      The Microsoft Corporation is made up of humans. I don't see how "human error" can be interpreted as anything other than "it's our fault, now we have to fix it".
      Michael Kelly
      • OK, I stand corrected

        This is the first time I have seen Microsoft NOT blame somebody else. I give them credit where credit is due. They need it BADLY.
        Ole Man
    • Yawn!!

      Confused by religion
    • human error

      While I agree with you that lately all the blame has been shifted to everyone else except Microsoft, this is clearly Microsoft admitting that it was their mistake.
    • Prime examples of 'delegation', those are...

    • You must not work in IT

      Because most of those 'microsoft blames' issues
      are valid. the onecare situation is a perfect
      example. Those users had to have clicked on an
      option to delete those files. (how dare the evil
      MS not go based on the assumption that every
      user is a total moron!) I'd be willing to bet
      90% of malware infections worldwide are caused
      by 'stupid' users.

      The fact of the matter is every major devlopment
      shop these days is having serious issues keeping
      up due to two reasons.

      1)the threats out there are gorowing in number,
      permeation, and complexity

      2) the user base is growing larger and larger.
      and whole new demographics of lay-users are
      entering the market. people who do not
      necessarily understand anything about computing,
      it's history, or the propper way of doing

      All of the big dev companies out there face
      these issues. Microsoft happens to be one of the
      msot widespread in it's product penetration and
      his the highest profile. so it has become trendy
      to bash them anytime they mgiht get it wrong, or
      something bad happens.

      i am not an avid MS fan. i think some of their
      coding practices are still absurd, and they'll
      only pry me away from Debian when i'm dead. but
      come on people let's be honest here, nobody's
      really playing fair with MS these days. Give
      them the benefit of the doubt, there are some
      really good people over there. Don't believe me,
      go read some of Mark russinovich's stuff, the
      guy is brilliant.
  • RE: Microsoft: Human error caused critical SMB2 vulnerability

    I can respect that, Microsoft knows they are only human and are prone to the mistakes as are others. They aren't trying to be above this or sweep it under the rug. They openly admit that it was human error. I respect that it took actual humans to find it instead of software, and that is no easy task. Microsoft always takes the steps necessary. Good for them.
    Loverock Davidson
  • Human error: End Users

    I am shocked they took the blame most of the time they blame us.

    Or in Vista case they took the blame then a week later change their minds and blame every vista user.