Partager via

Why Windows Vista is unaffected by the VML Bug

  • Article

MS07-004 does not affect Windows Vista, even though the coding bug is there. Why?

The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically detects integer overflows at runtime. All of Windows Vista is compiled with this compiler.

You can read more about this compiler change in a previous blog.

The moral of this story is developers will never find all code-level security bugs, so you need other defenses. Just in case!

Comments

  • Anonymous
    January 10, 2007
    Good news ! But I wonder : while not a security issue, it is still a bug. Do you know what is Microsoft's patching policy in this case ? If this bug sets the trend, it will only be corrected in the next release of vgx.dll, either via some unfortunate security issue or a service pack. ps: I loved the SDL book !

  • Anonymous
    January 11, 2007
    PingBack from http://www.vistaclues.com/defense-in-depth-protects-vista-from-vulnerability/

  • Anonymous
    January 11, 2007
    Hi Michael, And about Visual C++ Express Edition ? Have the same control of integer overflows at runtime ? I search the Express documentation, but I don't found information about this feature. Best ! Weber Ress

  • Anonymous
    January 11, 2007
    Portuguese version of this post. http://www.weberress.com/2007/01/defesa-em-camadas-protege-windows-vista.html

  • Anonymous
    January 11, 2007
    Guillaume, we issue security patches for security bugs only :)

  • Anonymous
    January 11, 2007
    Release candidate is though. http://www.microsoft.com/downloads/details.aspx?familyid=052484bf-2fd4-4922-b1a9-1f0da9bc727b&displaylang=en&tm This update addresses the vulnerability discussed in Microsoft Security Bulletin MS07-004. To find out if other security updates are available for you, see the Overview section of this page.

  • Anonymous
    January 11, 2007
    The comment has been removed

  • Anonymous
    January 11, 2007
    The comment has been removed

  • Anonymous
    January 12, 2007
    Traduction française du billet de Michael HOWARD : Why Windows Vista is unaffected by the VML Bug Le

  • Anonymous
    February 01, 2007
    [Default] Spotlight on: Windows Vista Innovate on Windows Vista Innovate on Windows Vista helps fast-track

  • Anonymous
    February 05, 2007
    How does the Visual Studio compiler's security protection compare with, say GCC's '-fstack-protector' and '-D_FORTIFY_SOURCE' options?

  • Anonymous
    March 16, 2007
    Dave, first -GS (stack protection) is enabled by default, is it enabled by default in GCC? second, the fortify source sounds like something we have in the VC++ 2005 http://blogs.msdn.com/michael_howard/archive/2005/02/03/366625.aspx