MS Patches: Input validation and virtualization
I have been making a point in several places that application security is increasingly important. Attackers are increasinly moving higher in the OSI stack. This observation is not something that I have come up with myself, nor is it something that is too terribly shocking.
However, I do feel that many security professionals are aware of the problem, but despite Y2K and Euro conversion issues, that they don't really fully understand the scale and the potential impact of deficient code.
This month's Microsoft patches have been released. Of the 9 patches that are released, four are directly caused by input validation errors (MS07-044, MS07-046, MS07-048, and MS07-050).
Three of the four vulnerabilities are rated as critical and one is rated as important. Input validation errors are among the easiest to prevent by adopting proper coding practices and/or by (automated) code review.
Also interesting to note is that the fortress of virtualization is beginning to crumble. This month's patches include MS07-49, which allows an attacker to exploit a vulnerability in virtual PC to run arbitrary code on the host OS. It is easily conceived that an attacker, by compromising a host OS, can hop onto other guest OS'ses and by doing so, easily compromise a large number of hosts.
However, I do feel that many security professionals are aware of the problem, but despite Y2K and Euro conversion issues, that they don't really fully understand the scale and the potential impact of deficient code.
This month's Microsoft patches have been released. Of the 9 patches that are released, four are directly caused by input validation errors (MS07-044, MS07-046, MS07-048, and MS07-050).
Three of the four vulnerabilities are rated as critical and one is rated as important. Input validation errors are among the easiest to prevent by adopting proper coding practices and/or by (automated) code review.
Also interesting to note is that the fortress of virtualization is beginning to crumble. This month's patches include MS07-49, which allows an attacker to exploit a vulnerability in virtual PC to run arbitrary code on the host OS. It is easily conceived that an attacker, by compromising a host OS, can hop onto other guest OS'ses and by doing so, easily compromise a large number of hosts.