Gary McGraw wrote:
> To cycle this all back around to the original posting, lets talk about
> the WMF flaw in particular.  Do we believe that the best way for
> Microsoft to find similar design problems is to do code review?  Or
> should they use a higher level approach?
> Were they correct in saying (officially) that flaws such as WMF are hard
> to anticipate? 
I have heard some very insightful security researchers from Microsoft
pushing an abstract notion of "attack surface", which is the amount of
code/data/API/whatever that is exposed to the attacker. To design for
security, among other things, reduce your attack surface.

The WMF design defect seems to be that IE has too large of an attack
surface. There are way too many ways for unauthenticated remote web
servers to induce the client to run way too much code with parameters
provided by the attacker. The implementation flaw is that the WMF API in
particular is vulnerable to malicious content.

None of which strikes me as surprising, but maybe that's just me :)

Crispin Cowan, Ph.D.            
Director of Software Engineering, Novell
        Olympic Games: The Bi-Annual Festival of Corruption

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -

Reply via email to