Microsoft is blaming human error for the the critical SMB v2 vulnerability that exposed Windows users to remote code execution attacks and argues that it’s near impossible to catch these types of bugs with existing code review tools and techniques.
According to a post-mortem of the issue by Redmond security guru Michael Howard, the company detected the vulnerable code “very late” in the Windows 7 development process but argued that there are no static analysis tools or SDL requirements that would spot this type of human error.
“Right now there is no static analysis tool I know of that would point out the developer used the wrong variable, and our analysis tools didn’t spot the potential array bounds problem in part because it’s hard to do so with generate a very large quantity of false positives,” Howard said.
“There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing. In fact we did find it very late in the Windows 7 development process through network fuzzing and that is why post-RC versions of Windows 7 do not have this bug,” he added.
Howard did not explain why the fix was not back-ported to Windows Vista and other vulnerable versions until it was independently discovered and released by external security researchers.
He said the only other technique that could find this type of vulnerability — an incorrect variable in an array reference — is the process of “very slow and painstaking code review.”
“This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Humans are fallible, after all.”
Read Michael Howard’s explanation [msdn.com]