Why Hackers Are Winning

Microsoft just patched a bug this month (see article) that potentially allows a hacker to take over your computer and for sure allows a hacker to crash it – repeatedly – all because they forgot to check for a carry overflow in an addition operation.  It potentially affects 70 million web sites and is being actively exploited as you read this.

I will try to make this as non-geeky as I can.

Windows runs in two modes – user mode, where MOST programs run and kernel mode, where certain parts of Windows runs.  In kernel mode, a program can do anything it wants – talk to the hardware, whatever.  The goal should be that as little as possible runs in kernel mode because if the programmers make a mistake, it can be, to say this kindly, catastrophic.

If a program needs to ask Windows to perform certain tasks for it, it makes system calls and each one of these calls has some overhead to it.  If you look at things from a certain perspective, if you move code from user mode to kernel mode, it will run faster since in kernel mode it just does stuff instead of asking Windows to “please do this for me”.  However, if there are any bugs, you run the risk of making the hackers VERY happy, since they now control the real hardware of the machine.

A few years ago (when Windows 7 was being written), Microsoft decided to move part of it’s web server into kernel mode to improve it’s performance.  That code runs in most versions of Windows 7, Windows Server 2008 and 2012 and Windows 8.

In this code, they needed to do a calculation about the length of something (which is end-start+1).  If you do this in Excel or in a high level programming language, they make sure that all the eyes are dotted and tees crossed, but operating systems are written in low level languages to improve performance and in that case you are on your own.

Without going into details, they forgot one part of the calculation (checking for a carry out) and the result is that under certain circumstances, the server will crash.  There are a lot more details, but that is not important for this post.

One stupid check missing can cause the server to crash.  Potentially affecting 70 million web sites (note:  it is only a problem if site has kernel caching turned on, which is the default).

Of course, the hackers know, now that Microsoft has released a patch, what the problem is and have been crashing web sites right and left.  And, Microsoft thinks, a hacker might be able to execute any code she wants to as a result of this bug.

Even though Microsoft calls this a critical patch, 10’s of millions of web sites have not been patched and are at risk.

And while Microsoft got caught this time, it happens to Apple, Google, and anyone else that writes programs.  This stuff is very complicated and always has bugs – some more critical than others.

The programmer has to get it right every time.  The hacker only needs to get it right once.  This is ESPECIALLY true if the code is running in kernel mode.

And remember, that testing only confirms the presence of bugs, not the absence of bugs, so testing would be unlikely to test for a length of exactly 0 – 18,446,744,073,709,551,615 , which is the ONLY length that will cause the server to crash.

Which is why the hackers are winning.

Leave a Reply

Your email address will not be published. Required fields are marked *