ANI Patch: The Day After

The ANI vulnerability rose to urgency near the end of March, when the first exploit code appeared and reappeared again and again. Within days of the first exploit, ANI posed such serious risk that Microsoft instructed end users to read all e-mail in plain text.

But while exploits appeared about a week ago, Microsoft had known about the vulnerability since mid-December. Why did the patch take so long?

The ANI vulnerability bears striking similarity to the WMF (Windows Metafile) bug that squashed some Microsoft researchers' 2005 holiday and 2006 New Years. Both flaws affect the Windows graphics subsystem—or GDI—and were exploited without patches being available.

Similarities are elsewhere. Microsoft's ANI patch fixed six other flaws, all affecting GDI. The ANI patch also covers the WMF Denial of Service Vulnerability (CVE-2007-1211) reported to Microsoft by iDefense; the EMF Elevation of Privilege Vulnerability (CVE-2007-1212) reported to Microsoft by Shaun Colley of NGS Software; the Font Rasterizer Local Elevation of Privilege Vulnerability (CVE-2007-1213) reported by Thomas Phinney of Adobe Systems; and the GDI Incorrect Parameter Local Elevation of Privilege Vulnerability (CVE-2007-1215) reported by Sergey Svinolobov.

ANI also affects Windows Vista, raising concerns that other GDI problems, perhaps going back years, will later be discovered. Security provider Determina, which warned Microsoft about ANI back in December, has a blog post showing how the flaw can affect Vista.

In a late-day blog post yesterday, Mike Reavy, a program manager with Microsoft's Security Response Center, explained some of the forensics involved with developing a patch. He also revealed why the patch process took so long: GDI.

Changes to GDI deeply affect Windows and also third-party applications and device drivers. One GDI vulnerability also can require others to be fixed, as was the case with ANI.

Test, Test, Testing
Microsoft engaged a fairly lengthy testing process, as it did with WMF, to mitigate potential compatibility problems. Reavy explains:

"The update modifies functionality that is pervasive and core to the operating system, both in graphics rendering, as well [as] kernel mode operations. So extensive testing was performed, and that process involved hundreds of folks in multiple teams worldwide to ensure as complete coverage as possible. In this case at one point our testing had uncovered over 80 potential issues with the update that were investigated and resolved."

Reavy didn't clearly say how long Microsoft took to develop the ANI patch. I know that for WMF, Microsoft had a patch within 24 hours after confirming the flaw. But compatibility testing delayed release of the patch. Still, the delay for WMF was a couple weeks, while ANI took nearly four months from vulnerability notification to patch release.

Michael Cherry, Directions on Microsoft lead analyst for Windows and Mobile, praised Microsoft for stepping forward and releasing the patch early. Reavy indicated that Microsoft had planned to issue the fix on April 10, during the normal cycle of patches.

"I think the security response center in general does a pretty good job," Cherry said. "Here they faced a dilemma: Release a patch out of band, as they like to call it, and force two patch events in a single month, or live with a publicly circulating—and therefore growing—threat. I think this is exercising the sort of judgment we need to see them make."

In my discussions with members of Microsoft's Security Response Center, minimizing patch impact is one of the group's top priorities. By revenue, businesses are Microsoft's biggest customers and the ones potentially most affected by a security fix. GDI changes could break many different applications because of the pervasive use of the graphics subsystem.

My colleague Larry Seltzer questioned the sensibility of releasing seven patches together. He wrote in a blog post yesterday: "The ANI patch should be deployed quickly, as soon as possible. By including it with this many other fixes they make it harder to test."

He makes a valid point, if minimizing patch impact is a priority. But Reavy sees things differently: "We fixed seven reported vulnerabilities as well as other issues found through internal investigation, instead of asking customers to deploy multiple fixes for the same set of vulnerabilities," he wrote his blog post.

"Perhaps they should have left the rest of the update for next week," Seltzer said.

For Curtis Edwards, director of IT director for Pottawatamie County, Iowa, neither option would matter.

"We usually will not install a patch right away and take a wait-and-see attitude," he said. His organization hadn't installed the patch, ahead of testing. Even after concluding testing, the county would "roll out [the patch] in groups to mitigate risk."

Timing of the patch, one week before another round of them, had no affect on Edwards' deployment plans.

"I suppose if a company was that worried about two patch cycles they could hold it a week," Cherry said.

Measure of Success
The ANI patch will succeed or fail by two measures: fixing the problem and doing so with minimal negative impact. If the latter proves true, Microsoft can more confidently stand up for the lengthy testing process.

So far, early signs are cautiously favorable for Microsoft. While SANS is reporting some problems, they have been minor so far.

Microsoft has confirmed one glitch identified by SANS, having to do with the Realtek High-Definition Audio Control Panel. The problem has to do with the control panel not starting, along with an error message upon system startup that says, "Illegal System DLL Relocation."

"Nothing other than the RealTek issue," said Sunbelt Software's Alex Eckleberry—feedback confirmed by other experts.

Nevertheless, SANS reports that other issues are being investigated. Microsoft is asking anyone having problems after installing the patch to call Microsoft Product Support Services at 1-866-PCSAFETY.

"We installed the patch through SUS/WSUS [Software Update Services/Windows Server Update Services]," said Gene Pizzo, network administrator for DACCO (Drug Abuse Comprehensive Coordinating Office), in Tampa, Fla. "So far there haven't been any problems."

But Pizzo took a critical view of Microsoft's "proprietary" technologies that are "wide open for exploitation." He would prefer that Microsoft take a more open-source approach.

I told Pizzo that Microsoft might argue that open source's all-eyes approach would lead to prying eyes of the criminals.

"The criminals seem to be doing a pretty good exploitation job on Microsoft as we speak," Pizzo responded. "The industry would be better off with open source because more good guys would be working to tighten up the code. The criminals will still be there, but more secure code should diminish the criminals' effect on the industry."

Commenters, is he right?

We would like to thank Security Watch's Lisa Vaas for her important contributions to this post.

Related Posts:

• Microsoft Sees Double (Security Tuesdays), Microsoft Watch, April 3, 2007
• Microsoft Posts ANI Patch, Security Watch, April 3, 2007
• ANI Exploit Tries the 'Hot Pictures of Britney Spears' Shtick, Security Watch, April 3, 2007
• Widespread ANI Attack Coming Out of Asia/Pacific, Security Watch, April 3, 2007
• Windows ANI Workaround Updated as Exploit Mutates, Security Watch, April 2, 2007
• Microsoft Jumps Schedule to Patch ANI, Security Watch, April 2, 2007
• ANI Zero Day Takes New Turns to the Uber-Nasty, Security Watch March 31, 2007
• ANI Exploit Tied to Hacked Super Bowl Site, Security Watch, March 30, 2007
• Workaround Out for Windows ANI Zero Day, Security Watch, March 30, 2007
• Beware the Windows Animated Cursor, Says MS, Security Watch, March 29, 2007
• Drive-by Exploit Plants Trojans onto Fully Patched Windows Systems Running IE, Security Watch, March 29, 2007
• Vista Security by the Numbers, Microsoft Watch, March 26, 2007