Tuesday Jun 02, 2009

Secure Programming Tips... outdated? Nah...

In support of Scott Rotondo's presentation on Secure Programming today at Community One, I decided to brush up an internal paper on Secure Programming tips and make it available on the OpenSolaris website.

Even though I thought the paper contained some valuable advice, I had some reservations publishing the paper since it was written back in 2002, with examples that were "hot" at the time, but maybe less inspiring today. After all, this was seven year old stuff which is almost eons in a field of work that changes as fast as computer security does, right? I mean, who wants to hear about preventing buffer overflows, heap overflows, integer under- or overruns, sign extension errors, when today people care about XSS-attacks, password-resets and other forms of hacks... We've been there, done that, right?

Well, no... I was flabbergasted to see the list of errors that were fixed by Apple's QuickTime update that was released this month... from Zero Day's webpost, I learned these bugs were fixed:

  • CVE-2009-0188: A memory corruption issue exists in QuickTime’s handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0951: A heap buffer overflow exists in the handling of FLC compression files. Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0952: A buffer overflow may occur while processing a compressed PSD image. Opening a maliciously crafted compressed PSD file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0010: An integer underflow in QuickTime’s handling of PICT may result in a heap buffer overflow. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0953: A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0954: A heap buffer overflow exists in QuickTime’s handling of Clipping Region (CRGN) atom types in a movie file. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0185: A heap buffer overflow exists in the handling of MS ADPCM encoded audio data. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0955: A sign extension issue exists in QuickTime’s handling of image description atoms. Opening a maliciously crafted Apple video file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0956: An uninitialized memory access issue exists in QuickTime’s handling of movie files. Viewing a movie file with a zero user data atom size may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0957: A heap buffer overflow exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution.

This is an amazing list of basic programming errors (worst of all: "blindly trusting untrusted input") that should simply not be allowed to exist anymore (yeah I know, wishful thinking).

In any case, even though the paper is only a guideline and definitely not a complete programming resource, I now no longer have any reservations publishing this brushed-up paper... Thanks Apple!

PS: This, once again strengthens, my believe that browsers (and plug-ins, and media-players) should be run in a tightly controlled environment (no stack execute permission, no heap execute permission, no file access permission outside a controlled part of the file-system)... can anyone spell FGAP? I should really get around to implement some jailing like that using FGAP and not having to worry about Microsoft quietly installing .NET plugins for Firefox anymore.

About

jjj

Search

Categories
Archives
« June 2009
SunMonTueWedThuFriSat
 
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today