Wednesday, August 15, 2007

MS Patches: Input validation and virtualization

I have been making a point in several places that application security is increasingly important. Attackers are increasinly moving higher in the OSI stack. This observation is not something that I have come up with myself, nor is it something that is too terribly shocking.

However, I do feel that many security professionals are aware of the problem, but despite Y2K and Euro conversion issues, that they don't really fully understand the scale and the potential impact of deficient code.

This month's Microsoft patches have been released. Of the 9 patches that are released, four are directly caused by input validation errors (MS07-044, MS07-046, MS07-048, and MS07-050).

Three of the four vulnerabilities are rated as critical and one is rated as important. Input validation errors are among the easiest to prevent by adopting proper coding practices and/or by (automated) code review.

Also interesting to note is that the fortress of virtualization is beginning to crumble. This month's patches include MS07-49, which allows an attacker to exploit a vulnerability in virtual PC to run arbitrary code on the host OS. It is easily conceived that an attacker, by compromising a host OS, can hop onto other guest OS'ses and by doing so, easily compromise a large number of hosts.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.